On Feb 5, 2021, at 2:53 PM, Alan DeKok <[email protected]> wrote: > The TLS layer generally *will* produce TLS alerts. The application has the > choice whether or not to send them. i.e. it should just discard the TLS > alerts, and instead send EAP-Failure.
Typo, sorry. It "could" discard the TLS alert and send EAP-Failure. I would suggest instead that it MUST send the TLS alert before any EAP-Failure. One reason is that currently, the EAP layer has no reliable indication that the TLS layer failed. It *could* just get an EAP-Failure at any point. Which makes implementations fragile and awkward. If instead EAP-TLS 1.3 mandates sending a TLS alert *before* EAP-Failure, then this meets the "altReject" criteria of RFC 4137. And implementations know exactly what to expect, and when. Alan DeKok/ _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
