On Nov 2, 2020, at 4:37 AM, Hannes Tschofenig <hannes.tschofe...@arm.com> wrote:
> IMHO the entire text in Section 5.7 reads a bit like you are giving 
> implementation guidance. That would be great if John or you had written such 
> code. I don’t know whether you have.
> You are given the reader the impression that there is a problem with session 
> resumption. I don’t believe there is a problem and I gave you reasons in my 
> email.

  There is a problem with session resumption.  RFC 5216 is silent on security 
issues with respect to session resumption.  That's a major flaw in the 
specification.

  I had given reasons for this position earlier, in my original post 
recommending changes to this document.  And again in my earlier reply to your 
message.

> At a minimum, I would clarify in the introduction what the updates to RFC 
> 5216 are. This will help those implementers that focus on a variant of 
> EAP-TLS that uses version 1.2. As mentioned above, I don't believe Sections 
> 5.6 and 5.7 belong to this document. Leave it in there if someone in the 
> group gets paid by the number of published pages. 

  I believe that an EAP-TLS document should discuss security, implementation, 
and deployment issues with respect to EAP-TLS.

  You have a point in that many of these issues are applicable to other 
TLS-based EAP methods, too.  Updates to those methods can reference this 
document.  There's no need for a separate document.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Reply via email to