On Jun 18, 2013, at 11:39 AM, Sam Hartman
<hartmans(_at_)painless-security(_dot_)com>
wrote:
Joe, eap-lower-layer is not required for application authentication if
there's some other attribute that's specific to the lower layer. For
example Moonshot sends gss-acceptor-service-name but does not currently
send eap-lower-layer, and doing that seems consistent with the
requirements of the channel binding spec.
Adding a requirement for eap-lower-layer all the time would be new, but
might be reasonable.
[Joe] Ah yes, I remember this. It would be simpler to just use eap lower-layer
attribute. I think we could massage the text to say something like "eap
lower-layer layer attribute or equivalent attribute indicating the EAP lower
layer in use" . Let me see what I can do with the text David provided.
--Sam