On May 16, 2021, at 2:30 PM, Joseph Salowey <[email protected]> wrote: > This is under-stating the issue rather severely. We know with > absolute certainty that most (if not all) EAP implementations and > access networks limit the number of EAP packet exchanges. Perhaps > update the text to reference implementation and interoperability > experience. > > [Joe] Is there a paper that should be referenced?
No papers that I recall. But source code to hostap and FreeRADIUS is publicly available. I've previously posted stable links to specific revisions of the source, for both projects. > Section 5.1 says: > > [4] Cryptographic Negotiation: TLS 1.3 increases the number of > cryptographic parameters that are negotiated in the handshake. When > EAP-TLS is used with TLS 1.3, EAP-TLS inherits the cryptographic > negotiation of AEAD algorithm, HKDF hash algorithm, key exchange > groups, and signature algorithm, see Section 4.1.1 of [RFC8446]. > > Question: what does this mean in practice for EAP-TLS? i.e. this text > describes a capability. It does not describe what that capability > does, or how it benefits EAP-TLS. > > [Joe] Although this is an internal TLS detail I don't see any problem > discussing this in the security considerations. I don't see it's a problem, but I don't know why it's there. Should the EAP-TLS document discuss all of the properties of TLS? If not, then perhaps a subset? And which subset to pick? As an implementor, anything which is explicitly called out in the document should be there for a reason. i.e. to guide implementors. So reading the above text leads me to conclude that the text is important. But there are no actionable items coming from that text. No recommendations, and no further discussion. And the first sentence is truncated from a grammatical sense: "TLS increases..." as compared to what? Perhaps it's simpler to just say: [4] Cryptographic Negotiation: Compared to earlier versions, TLS 1.3 increases the number of cryptographic parameters which are negotiated in the handshake. When EAP-TLS is used with TLS 1.3, EAP-TLS inherits all of the increased capabilities of TLS. See Section 4.1.1 of [RFC8446] for more information. > [Joe] How about > > "When peer authentication is not used, deployments > MUST take care that the resulting access granted by AAA servers and > network authenticators is appropriate for > unauthenticated peers." Yes. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
