On Mar 11, 2022, at 5:53 AM, Karri Huhtanen <karri.huhtanen+i...@gmail.com> wrote: > Heikki clarified that this was about the phase1 so the use case in my > previous email and below does not apply.
Yes. TLS 1.3 encrypts the client certificate, so there's no need to "hide" EAP-TLS inside of another EAP method. It probably wouldn't hurt to forbid the use of it, to be honest. But that's a larger question for the working group. i.e. does TTLS with inner EAP-TLS add any value? Is it useful? > It may however be something to be considered in other drafts if binding of > the outer and inner identity realm is defined. The current draft has a long section on inner vs outer identities: https://datatracker.ietf.org/doc/html/draft-ietf-emu-tls-eap-types-05#section-3.1 In short, there's no reason to have different realms for inner/outer identities. Either the inner identity has no realm, or the realm matches the outside one. The only use-case for different realms is to separate AAA routing from AAA authentication. i.e. a company "example.com" defines users, but the AAA server is hosted at "example.org". In that case, the outer identity would route the packets to the hosting provider, who would then use the inner identity to authenticate the user. IMHO this practice should be strongly discouraged, for reasons discussed in the draft. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu