On Jun 18, 2013, at 11:39 AM, Sam Hartman <hartmans@xxxxxxxxxxxxxxxxxxxxx> wrote: > Joe, eap-lower-layer is not required for application authentication if > there's some other attribute that's specific to the lower layer. For > example Moonshot sends gss-acceptor-service-name but does not currently > send eap-lower-layer, and doing that seems consistent with the > requirements of the channel binding spec. > > Adding a requirement for eap-lower-layer all the time would be new, but > might be reasonable. > [Joe] Ah yes, I remember this. It would be simpler to just use eap lower-layer attribute. I think we could massage the text to say something like "eap lower-layer layer attribute or equivalent attribute indicating the EAP lower layer in use" . Let me see what I can do with the text David provided. > --Sam