Skip to main content

The EAP-TLS Authentication Protocol

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: Internet Architecture Board <>,
    RFC Editor <>, 
    emu mailing list <>, 
    emu chair <>
Subject: Protocol Action: 'The EAP TLS Authentication Protocol' 
         to Proposed Standard 

The IESG has approved the following document:

- 'The EAP TLS Authentication Protocol '
   <draft-simon-emu-rfc2716bis-14.txt> as a Proposed Standard

This document is the product of the EAP Method Update Working Group. 

The IESG contact persons are Sam Hartman and Tim Polk.

A URL of this Internet-Draft is:

Ballot Text

Technical Summary
   The Extensible Authentication Protocol (EAP), defined in RFC 3748,
   provides support for multiple authentication methods. Transport Level
   Security (TLS) provides for mutual authentication, integrity-protected
   ciphersuite negotiation and key exchange between two endpoints. This
   document defines EAP-TLS, which includes support for certificate-based
   mutual authentication and key derivation. This document obsoletes RFC
   2716 to bring EAP-TLS into the standards track.
Working Group Summary
   The document represents rough consensus of the working group.
Protocol Quality
This document has been reviewed for the IESG by Sam Hartman.   There are
many interoperable implementation of EAP-TLS deployed today.
   This document has been reviewed by people involved in the EAP, TLS and
   PKIX working groups.

Note to RFC Editor
Please replace Section 2.4 with the following text:

2.4.  Ciphersuite and Compression Negotiation

  EAP-TLS implementations MUST support TLS v1.0.

  EAP-TLS implementations need not necessarily support all TLS
  ciphersuites listed in [RFC4346].  Not all TLS ciphersuites are
  supported by available TLS tool kits and licenses may be required in
  some cases.

  To ensure interoperability, EAP-TLS peers and servers MUST support
  the TLS [RFC4346] mandatory-to-implement ciphersuite:


  EAP-TLS peers and servers SHOULD also support and be able
  to negotiate the following TLS ciphersuites:

        TLS_RSA_WITH_RC4_128_SHA [RFC4346]
        TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]

  In addition, EAP-TLS servers SHOULD support and be able to negotiate
  the following TLS ciphersuite:

      TLS_RSA_WITH_RC4_128_MD5 [RFC4346]

  Since TLS supports ciphersuite negotiation, peers completing the TLS
  negotiation will also have selected a ciphersuite, which includes
  encryption and hashing methods.  Since the ciphersuite negotiated
  within EAP-TLS applies only to the EAP conversation, TLS ciphersuite
  negotiation MUST NOT be used to negotiate the ciphersuites used to
  secure data.

  TLS also supports compression as well as ciphersuite negotiation.
  However, during the EAP-TLS conversation the EAP peer and server MUST
  NOT request or negotiate compression.

RFC Editor Note