[Joe] OK I think this is good. How does 1.1 and 1.2 impact backwards compatibility?
I don't think we know yet. To get clarity, we need to do some tests. It is possible that only a subset of the problems that Y. Pettersen describes in his draft afflict TLS-based EAP methods:
http://www.watersprings.org/pub/id/draft-pettersen-tls-interop-experience-00.txt
BTW, I have verified some ciphersuite interoperability problems with existing implementations. For example, it appears that 3DES ciphersuites do not interoperate (though they can be negotiated).
[Joe] OK, I think perhaps the Session ID should start with 0x0D?
Oops. Typo :(
[Joe] OK, but we may want to also include security considerations for the case of EAP-TLS. When EAP-TLS is negotiated the ciphersuite that will be chosen is not known, so it is possible that the TLS negotiation may result is a weaker authentication method than was intended when EAP-TLS was negotiated through EAP. Implementations should take this into account when negotiating TLS ciphersuites.
It is definitely important to have policy in place. This is required in EAP-TLS implementations seeking FIPS 140-2 certification -- only FIPS-approved ciphersuites (e.g. 3DES, AES, HMAC-SHA1) can be negotiated, not RC4 or MD5.
I'll add a section on this in the next rev.
> TLS_RSA_WITH_3DES_EDE_CBC_SHA. > [Joe] RFC4346 allows you define an application profile so we wouldn't necessarily have to make this ciphersuite mandatory.
Just found some interoperability issues with this ciphersuite, so making it mandatory could be problematic :(
Maybe we should stick with RC4 as mandatory, and add AES as a SHOULD? RC4 definitely interoperates.
[Joe] what do you mean support and be able to negotiate? Why not just support?
Support should be sufficient. In some situations, not every supported ciphersuite will be negotiable (e.g. in FIPS mode, RC4 ciphersuites will not be negotiable).
[Joe] OK, I think in the sample text for section 2.5 you used 0x0c instead of 0x0d.
Yup. Typo :( _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
