On Jan 5, 2021, at 11:05 AM, Michael Richardson <[email protected]> wrote: > > Alan DeKok <[email protected]> wrote: >> Therefore, we need an explicit signal to the EAP-TLS layer that the > > Do you mean, "to the EAP layer"? > s/EAP-TLS layer/EAP/ ??
If the EAP-TLS layer allows TLS negotiation OR EAP-Success, then it's possible to bypass TLS by spoofing an EAP-Success. So the EAP-TLS layer needs to have a way to say "we're done, EAP-Success is now OK". It's really nested: EAP ( EAP-TLS ( TLS ) ) We can't finish EAP until we know that EAP-TLS is finished. We can't finish EAP-TLS until we know that TLS is finished. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
