On Jul 31, 2023, at 6:00 PM, Eliot Lear <[email protected]> wrote:
> We're not quite done. The following text needs to be removed, an additional
> example added:
>
>> If there is no Phase 2 data, then the EAP
>> server MUST reject the session. There is no reason to have TEAP
>> devolve to EAP-TLS.
The intent was clarified in the next paragraph:
Note that the Phase 2 data could simply be a Result TLV with value
Success, along with a Crypto-Binding TLV and Intermediate-Result TLV.
This Phase 2 data serves as a protected success indication as
discussed in {{RFC9190}} Section 2.1.1
i.e. TEAP with outer client certificate and no Phase 2 crypto-binding seems
wrong.
> IoT devices need a way to authenticate as TEAP is EAP-TLS under nominal
> conditions. When a certificate is about to expire, then the expectation is
> that either the client will issue a PKCS#10 request or the server will issue
> a request action TLV with PKCS#10, so that the client knows the server wants
> it to renew.
Sure.
Perhaps the text could just remove the last sentence about devolving to
EAP-TLS.
Alan DeKok.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
