Alan DeKok <[email protected]>; wrote: >I would suggest then referencing or duplicating the above text, and saying >something like: > >--- >Implementations SHOULD be capable of session resumption across different >TLS-based EAP types. This recommendation is made for a few reasons. It is >recommended by [RFC7301], there appears to be no compelling reason to forbid >it, and implementations can always choose to reject session resumption based >on local policies. > >Some EAP types have complex state and negotiation. For this EAP types, >session resumption across different EAP types may not be possible, and if not >possible, MUST be forbidden by both specifications and implementations. >Additional discussion of this topic is outside of the scope of this document. >---
Good suggestion, I'll add something like that to the resumption section in draft-ietf-emu-eap-tls13 > e.g. TTLS and PEAP both allow session resumption, and when done, skip the > phase 2 / inner-tunnel authentication. That seems like it could be a security problem in some implementations as cross-method resumption is not discussed anywhere and TTLS and PEAP says that inner-tunnel authentication is skipped for TLS resumption... Your planned document on TLS 1.3 for other EAP methods should have some text describing this. Rather that forbidding cross-method resumption for TTLS and PEAP, I assume one could just specify that inner-tunnel authentication must be done after cross-method resumption. Or? _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
