On Sep 19, 2019, at 6:04 AM, John Mattsson <john.matts...@ericsson.com> wrote:
> I am starting to come down on the side the EAP-TLS PSK should be specified.
> - I think EAP-PSK should be phased out like all other methods not giving PFS.

  EAP-TLS using PSK has worse security properties than EAP-PSK, I think.

> - The security of the Dragonfly handshake used in EAP-PWD (and WPA3) seems 
> quite shaky ( https://eprint.iacr.org/2019/383 ), but I have not looked into 
> the details.

  Yes.  There are updates coming.

  EAP-PWD is widely deployed and is widely used.  Given it's simplicity, I 
recommend using it where simple name / password authentication is required.

> - An EAP password method for the future should likely use the PAKE that CFRG 
> will soon standardize.
> - EAP methods should in the future support some PQC key exchange.
> TLS will very likely get support for both the CFRG PAKE and PQC key exchange 
> algorithms. I am not sure the EAP group want to spend time updating either 
> EAP-PSK or ESP-PWD. Unless there are other benefits with EAP-PSK or EAP-PWD, 
> I think standardizing EAP-TLS PSK makes a lot of sense.

  It's not clear to me how EAP-TLS PSK is *better* than EAP-PWD.

> I also note that, EAP-PSK is experimental and EAP-PWD is informal. Unless 
> IETF thinks PSK and passwords should not be used (which does certainly not 
> seem to be the case as TLS 1.3 is including PSK and CFRG is standardizing 
> password based AKE) I think that EMU should make some PSK and password based 
> method Standards Track. At the moment EAP-TLS 1.3 looks like the best choice.

  PEAP is informational.  EAP-TTLS is informational.  Yet both are widely used. 
 The document status is largely a byproduct of the IETF process.  I think we 
should take into account what people *do* with EAP methods.

  In this case, people have voted with their feet.  EAP-PWD, PEAP, and EAP-TTLS 
are widely deployed.  They all support some form of name / password 
authentication.  PEAP and EAP-TTLS also include support for anonymous outer 
identities, which is impossible with EAP-TLS PSK.

  Alan DeKok.

Emu mailing list

Reply via email to