Bernard Aboba wrote: > In addition adding new non-certificate modes would impose large > costs on customers. Today there are interoperability and conformance > test suites for EAP-TLS that assume that only certificate-based > authentication is supported. > > In addition, EAP-TLS has been approved for use within FIPS 140-2 > installations, based on support for certificate-base ciphersuites. > Introducing new non-certificate modes would introduce confusion, and > would force existing test suites to be re-written. > > For customers, deployment of EAP is difficult enough without > introducing confusion, interoperability problems and new security > vulnerabilities into the one EAP method that today is synonmous with > high security.
By certificate-based ciphersuites, do you mean TLS_RSA_WITH_* ciphersuites from RFC 2246 specifically, or any ciphersuite that uses any kind of certificates? (To me it looks like many of these arguments would also suggest defining a separate EAP type code for e.g. ECC certificates based on the RFC 4492 ciphersuites. I don't think that would be a good idea...) Best regards, Pasi _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
