Hi Hannes, On 6/12/20 11:29 AM, Hannes Tschofenig wrote:
A short follow-up on my own review: I wrote: " Pre-Shared Key (PSK) authentication SHALL NOT be used except for resumption. " What you want to say that that EAP-TLS MUST NOT use external PSKs. I wonder why you want to rule that use case out? It is a perfectly fine use case for TLS 1.3 and there is even the possibility to use PSK with ECDHE. What is the motivation? I noticed now that the working group had a discussion about this already and that there is a new document being published specifically focused on EAP-TLS-PSK-based authentication. Hence, ignore the second part of my comment. Indeed. There has been lots of discussion on this topic. To summarize: RFC 5216 explicitly required certificate based TLS authentication with the following text: If the EAP server is not resuming a previously established session, then it MUST include a TLS server_certificate handshake message, and a server_hello_done handshake message MUST be the last handshake message encapsulated in this EAP-Request packet. The certificate message contains a public key certificate chain for either a key exchange public key (such as an RSA or Diffie-Hellman key exchange public key) or a signature public key (such as an RSA or Digital Signature Standard (DSS) signature public key). Bernard Aboba opined that external PSK based authentication shouldn't be added to EAP-TLS in this update. Instead a separate document (with a separate EAP method type) should do that. Hence, we now have: https://tools.ietf.org/html/draft-mattsson-emu-eap-tls-psk-00. For reference, here are some email conversations containing discussion on this topic: - https://mailarchive.ietf.org/arch/msg/emu/FtxRJHTjzSY0yVdVr8Vjyk9D-vk/ - https://mailarchive.ietf.org/arch/msg/emu/CRh3VXLDnpJFFIbHWJAjiOgfzAg/ - https://mailarchive.ietf.org/arch/msg/emu/nYrIA4PKqk2mrUoNvAtFh7S-Xb8/ - https://mailarchive.ietf.org/arch/msg/emu/hVG357HXqvy0EjZ2yrOLdspH53o/ --Mohit Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
