Alan DeKok wrote: >That being said, I'm OK with having one EAP type code for EAP-TLS (certs), and >another for EAP-TLS (everything else) >I would avoid having multiple EAP types. That would bloat implementations. >It's better to just let implementors / admins configure TLS parameters for one >EAP type, instead of multiple EAP types.
What does "avoid having multiple EAP types" refer to? Does this mean you would like to avoid "EAP-TLS (certs), and another for EAP-TLS (everything else)", even If you can accept it Or are you saying that you want to avoid EAP-TLS (cert), EAP-TLS (psk), EAP-TLS (pwd), etc.... John -----Original Message----- From: Alan DeKok <al...@deployingradius.com> Date: Wednesday, 11 March 2020 at 12:26 To: John Mattsson <john.matts...@ericsson.com> Cc: Russ Housley <hous...@vigilsec.com>, Mohit Sethi M <mohit.m.se...@ericsson.com>, EMU WG <emu@ietf.org> Subject: Re: [Emu] Late WGLC Comment on draft-ietf-emu-eap-tls13 On Mar 11, 2020, at 4:01 AM, John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: > > If I remember correctly, Bernard stated that the indroduction of PSK could weaken the implementation and violate the security proofs of EAP-TLS. I don't really agree with Bernard, but I am fine with resticting the type code 0x0D to certificates only. I am not sure any proofs with TLS 1.1 would apply to TLS 1.3 anyway as TLS 1.3 is basically a new protocol, reusing encoding and IANA registers from the old version. For what it's worth, RFC 5216 doesn't make any statement about PSK. So on a first reading, there are currently no restrictions on using PSK with EAP-TLS, and TLS <= 1.2. There are multiple client / server implementations which support PSK for EAP-TLS. That being said, I'm OK with having one EAP type code for EAP-TLS (certs), and another for EAP-TLS (everything else) I would avoid having multiple EAP types. That would bloat implementations. It's better to just let implementors / admins configure TLS parameters for one EAP type, instead of multiple EAP types. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu