On Mar 7, 2022, at 8:40 AM, Heikki Vatiainen <[email protected]> wrote: > I suggest for this document that we just forbid the case of using only a > client certificate with TTLS. > > No objection from me - and it now appears to be in draft version -05. While > there may have been client software that supported this, I have not seen any > recent clients that support this. The only reason I mentioned this RFC 5281 > feature is that it's mentioned in the RFC, not that I have seen it used.
I can't recall seeing it used, either. But we'll talk about this at the next meeting, and see if there are any concerns. > I noticed there's also a similar new paragraph in draft -05 for PEAP. This is > a good and symmetrical clarification which I see being compatible with > [MS-PEAP]. The document Microsoft maintains says very little about client > certificates, basically just allowing them to be requested by the server. I > don't see anything that changes the use of inner tunnel authentication by the > use of them and now the draft confirms this. If I recall, Windows can't do client certs for PEAP. Maybe that changed with Windows 11 and TLS 1.3. But it didn't work historically. I think it's a good idea to forbid (a) duplicate features, and (b) features no one uses, and (c) features we're not sure have any value. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
