On Jul 31, 2023, at 6:00 PM, Eliot Lear <l...@lear.ch> wrote: > We're not quite done. The following text needs to be removed, an additional > example added: > >> If there is no Phase 2 data, then the EAP >> server MUST reject the session. There is no reason to have TEAP >> devolve to EAP-TLS.
The intent was clarified in the next paragraph: Note that the Phase 2 data could simply be a Result TLV with value Success, along with a Crypto-Binding TLV and Intermediate-Result TLV. This Phase 2 data serves as a protected success indication as discussed in {{RFC9190}} Section 2.1.1 i.e. TEAP with outer client certificate and no Phase 2 crypto-binding seems wrong. > IoT devices need a way to authenticate as TEAP is EAP-TLS under nominal > conditions. When a certificate is about to expire, then the expectation is > that either the client will issue a PKCS#10 request or the server will issue > a request action TLV with PKCS#10, so that the client knows the server wants > it to renew. Sure. Perhaps the text could just remove the last sentence about devolving to EAP-TLS. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu