Hi,
I would strongly encourage people to make concrete and well-defined issues on
GitHub for any major issues that you think need to be addresses before -13, -14
or -xx progress.
Mailing issues to the list is of course also accepted but tend to get dragged
into long conversations and are not a
On Feb 3, 2021, at 1:51 PM, Michael Richardson wrote:
> My understanding is that:
> 1) the TLS Finish message can now occur prior to the client certificate
> even being transmitted, let alone validated.
> This is a feature in TLS 1.3 that lets application data in the
> typical browser
I haven't been able to follow all of thread on the impedance mismatch between
EAP and TLS, which the EAP-TLS specification is intended to resolve.
(I did talk on the phone with Alan yesterday, and he recapped some issues for
me. My other qualification is that I implemented EAP-SIM 20 years ago,
On Feb 3, 2021, at 8:32 AM, John Mattsson
wrote:
> I seriously don't know where you got all of the above from. I only summarized
> the earlier discussion. I did not state any opinions.
I'm asking you as author to understand, explain, and defend the draft that
you wrote. The issue is *exactl
Alan DeKok wrote:
>Does that mean all open issues have been addressed and resolved?
>
>The current suggestion from Eric is to *not* use application data, but to use
>>CloseNotify instead. Does this mean the earlier discussion was wrong, or is
>the >current suggestion wrong? Are we allowed to
On Feb 3, 2021, at 5:26 AM, John Mattsson
wrote:
> At the same meeting it was also ruled out to use the Reserved bits in EAP-TLS
> header and to make EAP-Success carry payload. Latency and security was
> discussed a lot with Bernard keeping the security high and Jouni expressing
> on the maili
Hi,
Maybe not so important to figure out who suggested what, but I think the whole
discussion took place at IETF 102.
https://datatracker.ietf.org/meeting/102/materials/slides-102-emu-eap-tls-with-tls-13-00.pdf
https://datatracker.ietf.org/meeting/102/materials/minutes-102-emu-00
https://www.
Hi,
There was several recent comments on close_notify and the ability to send alert
messages. My understanding is that the message flow in -14 allows the important
alert messages to be sent. The server can always send an alert explaining why
client authentication failed. This should be a hard r
Hi,
Thanks, that is good information. Note that RFC 4137 is informative examples of
how EAP can be implemented and not even mentioned in RFC 5216. Given this
discussion it feels like RFC 5216 also needs to follow RFC 4137 or do something
similar to be secure. RFC 5216 do not say anything about
