On Fri, 4 Mar 2022 at 21:44, Alan DeKok <al...@deployingradius.com> wrote:
> I would argue that EAP-TTLS with only a client certificate doesn't make > sense. I'm not sure why it's in RFC 5281. If you want to only use a > client certificate, you should just use EAP-TLS. > > I suggest for this document that we just forbid the case of using only a > client certificate with TTLS. > No objection from me - and it now appears to be in draft version -05. While there may have been client software that supported this, I have not seen any recent clients that support this. The only reason I mentioned this RFC 5281 feature is that it's mentioned in the RFC, not that I have seen it used. I noticed there's also a similar new paragraph in draft -05 for PEAP. This is a good and symmetrical clarification which I see being compatible with [MS-PEAP]. The document Microsoft maintains says very little about client certificates, basically just allowing them to be requested by the server. I don't see anything that changes the use of inner tunnel authentication by the use of them and now the draft confirms this. Thanks, Heikki -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu