According to RFC 2716, a compliant EAP-TLS implementation must support
certificates. Since the resources required to support certificates is much
larger than the resources required for TLS-PSK, a combined method would not
be optimal for use within an embedded environment. There would also be
substantial costs to adding support for additional authentication methods to
EAP-TLS. For example, EAP-TLS certification and testing programs have been
developed which focus solely on certificate ciphersuites; rewriting those
test suites would be costly.
By developing EAP-TLS-PSK as a separate EAP method an implementation can
solely implement TLS-PSK while remaining compliant. This permits EAP
TLS-PSK implementations to be optimized for embedded environments. As a
side benefit, this approach also eliminates multiple levels of negotiation,
which had been raised as a potential problem.
_______________________________________________
Emu mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/emu
