>>>>> "Hannes" == Hannes Tschofenig <[email protected]> writes:
Hannes> Hi Sam, let us start with the problem description: You claim
Hannes> that EAP peer implementations use PK-based authentication
Hannes> but do not do certificate validation. This obviously
Hannes> introduces attacks (regardless of channel bindings, or
Hannes> crypto bindings).
Hannes> Any evidence that this is really a problem? And if it is a
Hannes> problem why that cannot be fixed with a software update. If
Hannes> you chose a specific EAP method then you obviously have to
Hannes> deploy the necessary credentials and parameters at both end
Hannes> points in order for it to work.
As I went on to say, with the case of the eap tunnel method we're
specifying here, usecase 3.9 of the requirements document requires that
the method be secure if the inner method is sufficiently secure even if
certificates are not checked.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
