On Nov 2, 2020, at 4:37 AM, Hannes Tschofenig <hannes.tschofe...@arm.com> wrote: > IMHO the entire text in Section 5.7 reads a bit like you are giving > implementation guidance. That would be great if John or you had written such > code. I don’t know whether you have. > You are given the reader the impression that there is a problem with session > resumption. I don’t believe there is a problem and I gave you reasons in my > email.
There is a problem with session resumption. RFC 5216 is silent on security issues with respect to session resumption. That's a major flaw in the specification. I had given reasons for this position earlier, in my original post recommending changes to this document. And again in my earlier reply to your message. > At a minimum, I would clarify in the introduction what the updates to RFC > 5216 are. This will help those implementers that focus on a variant of > EAP-TLS that uses version 1.2. As mentioned above, I don't believe Sections > 5.6 and 5.7 belong to this document. Leave it in there if someone in the > group gets paid by the number of published pages. I believe that an EAP-TLS document should discuss security, implementation, and deployment issues with respect to EAP-TLS. You have a point in that many of these issues are applicable to other TLS-based EAP methods, too. Updates to those methods can reference this document. There's no need for a separate document. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu