On Aug 28, 2023, at 2:20 PM, Eliot Lear <l...@lear.ch> wrote: >> First, section 3.11.1 states that authentication is needed before >> provisioning, but C.11. does not show any authentication. Should the diagram >> show phase 1 client certificate authentication or phase 2 tunnelled >> authentication? Are both valid types of authentication as required by >> section 3.1.1? > C.11 assumes bi-directional certificate exchange OR POK. Perhaps that should > be stated.
I'll add some text. >> Third, the draft does not say that PKCS exchange is an inner method. It's >> not an inner authentication method, but according to example C.11. the >> exchange ends with Crypto-Binding and Intermediate-Result TLV exchange >> similarly to inner authentication methods. Would it be possible to clarify >> the type of PKCS exchange (inner method, something else). Because it appears >> to be an inner method, also add text to section 3.11. where the use of the >> two TLV types is required. > Agree. It's an inner method, as indicated in Section 4.3.2. I'll add PKCS to the definition of "inner method", and note that it has to be authenticated. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu