The EAP-TLS Authentication Protocol
RFC 5216
Yes
(Sam Hartman)
No Objection
Lars Eggert
(Cullen Jennings)
(Dan Romascanu)
(David Ward)
(Jon Peterson)
(Lisa Dusseault)
(Magnus Westerlund)
(Mark Townsley)
(Ron Bonica)
(Ross Callon)
(Russ Housley)
(Tim Polk)
Note: This ballot was opened for revision 13 and is now closed.
Lars Eggert
No Objection
Jari Arkko Former IESG member
Yes
Yes
(2008-01-10)
Unknown
Great document. Thanks.
Sam Hartman Former IESG member
Yes
Yes
()
Unknown
Chris Newman Former IESG member
(was Discuss, No Objection)
No Objection
No Objection
(2008-01-25)
Unknown
In this excerpt:
----
all of the following TLS ciphersuites:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
In addition, EAP-TLS peers SHOULD support the following TLS
ciphersuites defined in [RFC3268]:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
----
There are two errors: 1. two of the cipher suites are listed twice.
2. the RC4_128 cipher suite is not defined in RFC 3268.
Q: Would it be useful for this protocol to recommend support for the
server name indication extension in RFC 4366? Otherwise the server
requires an IP address for each name it supports.
I agree with the following proposed resolution from Bernard Aboba:
2.4. Ciphersuite and Compression Negotiation
EAP-TLS implementations MUST support TLS v1.0.
EAP-TLS implementations need not necessarily support all TLS
ciphersuites listed in [RFC4346]. Not all TLS ciphersuites are
supported by available TLS tool kits and licenses may be required in
some cases.
To ensure interoperability, EAP-TLS peers and servers MUST support
the TLS [RFC4346] mandatory-to-implement ciphersuite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
EAP-TLS peers and servers SHOULD also support and be able
to negotiate the following TLS ciphersuites:
TLS_RSA_WITH_RC4_128_SHA [RFC4346]
TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]
In addition, EAP-TLS servers SHOULD support and be able to negotiate
the following TLS ciphersuite:
TLS_RSA_WITH_RC4_128_MD5 [RFC4346]
Since TLS supports ciphersuite negotiation, peers completing the TLS
negotiation will also have selected a ciphersuite, which includes
encryption and hashing methods. Since the ciphersuite negotiated
within EAP-TLS applies only to the EAP conversation, TLS ciphersuite
negotiation MUST NOT be used to negotiate the ciphersuites used to
secure data.
TLS also supports compression as well as ciphersuite negotiation.
However, during the EAP-TLS conversation the EAP peer and server MUST
NOT request or negotiate compression.
Cullen Jennings Former IESG member
No Objection
No Objection
()
Unknown
Dan Romascanu Former IESG member
No Objection
No Objection
()
Unknown
David Ward Former IESG member
No Objection
No Objection
()
Unknown
Jon Peterson Former IESG member
No Objection
No Objection
()
Unknown
Lisa Dusseault Former IESG member
No Objection
No Objection
()
Unknown
Magnus Westerlund Former IESG member
No Objection
No Objection
()
Unknown
Mark Townsley Former IESG member
No Objection
No Objection
()
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
()
Unknown
Ross Callon Former IESG member
No Objection
No Objection
()
Unknown
Russ Housley Former IESG member
No Objection
No Objection
()
Unknown
Tim Polk Former IESG member
No Objection
No Objection
()
Unknown