Maybe it is a terminology issue but TLS at least requires server-authentication.
From: Emu <[email protected]> On Behalf Of Heikki Vatiainen Sent: Monday, March 7, 2022 2:41 PM To: Alan DeKok <[email protected]> Cc: EMU WG <[email protected]> Subject: Re: [Emu] Working Group Last Call for TLS-based EAP types and TLS 1.3 On Fri, 4 Mar 2022 at 21:44, Alan DeKok <[email protected]<mailto:[email protected]>> wrote: I would argue that EAP-TTLS with only a client certificate doesn't make sense. I'm not sure why it's in RFC 5281. If you want to only use a client certificate, you should just use EAP-TLS. I suggest for this document that we just forbid the case of using only a client certificate with TTLS. No objection from me - and it now appears to be in draft version -05. While there may have been client software that supported this, I have not seen any recent clients that support this. The only reason I mentioned this RFC 5281 feature is that it's mentioned in the RFC, not that I have seen it used. I noticed there's also a similar new paragraph in draft -05 for PEAP. This is a good and symmetrical clarification which I see being compatible with [MS-PEAP]. The document Microsoft maintains says very little about client certificates, basically just allowing them to be requested by the server. I don't see anything that changes the use of inner tunnel authentication by the use of them and now the draft confirms this. Thanks, Heikki -- Heikki Vatiainen [email protected]<mailto:[email protected]> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
