On Sun, 20 Aug 2023 at 15:58, Alan DeKok <[email protected]> wrote:
> On Aug 20, 2023, at 5:15 AM, Alexander Clouter <[email protected]> > wrote: > > > > On Fri, 18 Aug 2023, at 01:01, Michael Richardson wrote: > >> I'm not sure it's sane to use EAP-TLS for Inner method myself. > > > > If you mean in the general sense, I can imagine placing the user > credential on a hardware key whilst the machine credential is either a > regular software keychain or even more exotic and tied to the TPM. > > Or both user and machine do EAP-TLS. Only one certificate can be sent > over TLS in Phase 1. The other has to be sent in EAP-TLS in Phase 2. > > But I do agree... TLS inside of TLS just seems bad. > I thought the justification for inner EAP-TLS with different tunnelling EAP methods, such as PEAP, is hiding the end user's identity. With TLS 1.3 this is no longer a problem, but with TLS 1.2 client certificate is not encrypted. -- Heikki Vatiainen [email protected]
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
