On Sep 12, 2019, at 10:55 AM, John Mattsson <john.matts...@ericsson.com> wrote:
>>     See Section 2.1.2.  TLS 1.3 uses PSK for resumption.  As a result, we 
>> *cannot* use PSK for >authentication in EAP-TLS.
> I don't understand why this could not be done. My view is that allowing PSK 
> authentication would be quite easy.

  How would systems tell the difference between "raw" PSK and "resumption" PSK?

  When allowing resumption, the server has sent a PSK identity in a 
NewSessionTicket message.  The client caches this and re-uses this.  But the 
client signals that it is performing resumption via the act of using PSK.  
There's nothing else.

  Which means that if PSK was allowed, the server can't look at the packets to 
distinguish resumption from "raw" PSK.  Instead, the server has to look at it's 
resumption cache which may be in a DB.

>>> While there is the EAP-PSK method, I would much rather use EAP-TLS with PSK 
>>> because it >provides identity protection and perfect forward secrecy, 
>>> unlike EAP-PSK. 
>>     Use EAP-PWD for that.
> Standardizing EAP-TLS should only be done if it has some significant 
> advantages over EAP-PWD, and there are people wanting to implement and use 
> it. 3GPP is e.g. adding  identity protection and perfect forward secrecy to 
> EAP-AKA instead.

  I would prefer to forbid PSK in EAP-TLS. 

  Alan DeKok.

Emu mailing list

Reply via email to