These are just some notes which come from skimming the document: * what is used for the outer identity? Should it be in NAI form? What are the privacy implications of using a domain in the outer NAI?
i.e. the EAP conversation should be routable in an AAA framework. So the outer identity should be something like @example.com. What privacy implication does this have for EAP-PPT? * what certificate is used for the outer TLS session? How is it validated? * what happens with session resumption? Presumably that's a way to correlated multiple sessions. So even if the PII changes per sessions, the use of resumption will tie two sessions together Alan DeKok. _______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org