The EAP-TLS Authentication Protocol
Draft of message to be sent after approval:
From: The IESG
To: IETF-Announce Cc: Internet Architecture Board , RFC Editor , emu mailing list , emu chair Subject: Protocol Action: 'The EAP TLS Authentication Protocol' to Proposed Standard The IESG has approved the following document: - 'The EAP TLS Authentication Protocol ' as a Proposed Standard This document is the product of the EAP Method Update Working Group. The IESG contact persons are Sam Hartman and Tim Polk. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-simon-emu-rfc2716bis-14.txt
Technical Summary The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides support for multiple authentication methods. Transport Level Security (TLS) provides for mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. This document defines EAP-TLS, which includes support for certificate-based mutual authentication and key derivation. This document obsoletes RFC 2716 to bring EAP-TLS into the standards track. Working Group Summary The document represents rough consensus of the working group. Protocol Quality This document has been reviewed for the IESG by Sam Hartman. There are many interoperable implementation of EAP-TLS deployed today. This document has been reviewed by people involved in the EAP, TLS and PKIX working groups. Note to RFC Editor Please replace Section 2.4 with the following text: 2.4. Ciphersuite and Compression Negotiation EAP-TLS implementations MUST support TLS v1.0. EAP-TLS implementations need not necessarily support all TLS ciphersuites listed in [RFC4346]. Not all TLS ciphersuites are supported by available TLS tool kits and licenses may be required in some cases. To ensure interoperability, EAP-TLS peers and servers MUST support the TLS [RFC4346] mandatory-to-implement ciphersuite: TLS_RSA_WITH_3DES_EDE_CBC_SHA EAP-TLS peers and servers SHOULD also support and be able to negotiate the following TLS ciphersuites: TLS_RSA_WITH_RC4_128_SHA [RFC4346] TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268] In addition, EAP-TLS servers SHOULD support and be able to negotiate the following TLS ciphersuite: TLS_RSA_WITH_RC4_128_MD5 [RFC4346] Since TLS supports ciphersuite negotiation, peers completing the TLS negotiation will also have selected a ciphersuite, which includes encryption and hashing methods. Since the ciphersuite negotiated within EAP-TLS applies only to the EAP conversation, TLS ciphersuite negotiation MUST NOT be used to negotiate the ciphersuites used to secure data. TLS also supports compression as well as ciphersuite negotiation. However, during the EAP-TLS conversation the EAP peer and server MUST NOT request or negotiate compression.