On Mon, Feb 8, 2021, at 13:27, Joseph Salowey wrote: > Both Martin and Ben proposed adding the peer identity into the context > parameter for the TLS exporter key derivation.
So I wasn't suggesting the client certificate, as that is covered by the client key confirmation and (I think) the results we have from the exported authenticator work indicates that this isn't necessary for the security of the protocol; validating the Finished is what provides the assurances there. What I was concerned about was the information that is exchanged in EAP *before* the TLS handshake begins that might affect the choice of certificate to offer. As this is not authenticated at all, there are trivial attacks if a client uses that information to guide its choice of certificate. For that problem, including the certificate as context in the key exporter doesn't help, but including any information that might appear outside could, if you get all of it. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu