On 10.11.2025 12:38, Alan DeKok wrote:
On Nov 10, 2025, at 9:47 AM, Michael Richardson<[email protected]> wrote:As we discussed at the mic, I'm not convinced it's needed, and I'm concerned that it requires much more effort to deploy. Having said that, if the WG prefers this, then it could be done.My $0.02 would be to just use EAP-TLS. The signal of EAP Identity being @tls.eap.arp should be enough for people to tell the difference between that and normal TLS.
If I understand correctly, Heikki wants a signal to indicate to signal unauthenticated TLS. Is that on both ends or one? If it's just the client, it should not ever bother to support authenticated EAP-TLS if it's going to support unauthenticated, because there will be a constant risk of a downgrade. In that case, maybe it's possible simply to register something in eap.arpa, but make clear that it's the same EAP-TLS method (we might want to do the same for TEAP if we're going to play this game at all).
Eliot
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
