+ Key is not shown to other parties
+ Lengthy EAP runs become faster
+ We authenticate the node on the other side
- But untrusted proxies can still misbehave!
Proxy might not send a Redirect
Proxy might send the wrong serverís address
=> We need additional authorization
Attributes in server certs?
NAI realm vs. FQDN in server check