Hi Bernard, On Thu, Nov 19, 2017, Bernard Aboba wrote:
>The big question is "Why not create a new EAP method"? >The overall intent seems to be to create an pre-shared key EAP method >optimized for 5G, >based on EAP-TLS v1.3. I don’t know why you have gotten the idea that the intent is pre-shared key authentication. 3GPP has no interest in EAP-TLS with pre-shared key authentication. 3GPP wants to use EAP-TLS with certificate authentication. >Since the protocol described will not interoperate with any of the existing 2+ >billion >EAP-TLS devices, why reuse the EAP-TLS code point or EAP-TLS name? What has >been >described is an entirely distinct authentication method, not a "clarification" >to an >existing specification. >In fact, from how it has been described, it would appear that the new protocol >is only for use >with new devices supporting 5G and new 5G servers supporting the new method. >In which case, >if the new method is not for general use on the Internet, why can't 3GPP just >define the method >themselves and allocate their own private EAP type code? I don’t know why you has come to the conclusion that this would not interoperate with existing EAP-TLS devices. TLS 1.3 e.g. obsoletes TLS 1.2 but still interoperate just fine with all old versions of TLS. 3GPP plans to use EAP-TLS (RFC5216) with current versions of TLS. In the future, 3GPP (and probably many others) would like to use EAP-TLS with TLS 1.3. 3GPP has no special requirements when it comes to using EAP-TLS with TLS 1.3, and would like to be interoperable with all implementations of EAP-TLS with TLS 1.3. The major point with EAP-TLS is to use the TLS version negotiation, defining EAP-TLS with TLS 1.3 as a different code is not a good idea. My view is that it is not clear how the key derivation is done when EAP-TLS is used with TLS 1.3. Non-interoperable implementations would not be good for the Internet. Furthermore, an implementation of EAP-TLS with TLS 1.3 would break a _large_ amount of MUSTs in RFC5126 as TLS 1.3 changes a lot from TLS 1.0 – 1.2. I think that an update to RFC5215 is needed irrespectively of 3GPP using EAP-TLS or not. Cheers, John _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
