50 likes | 154 Views
IETF 66 Enhanced EAP-TLS Discussion. Hao Zhou Cisco Systems, Inc. hzhou@cisco.com. Requirements. RFC2716bis focuses on describing current EAP-TLS implementation, no new enhancements New cipher suites, such as PSK, Kerberos, ECC
E N D
IETF 66Enhanced EAP-TLS Discussion Hao Zhou Cisco Systems, Inc. hzhou@cisco.com EMU WG, IETF 66
Requirements • RFC2716bis focuses on describing current EAP-TLS implementation, no new enhancements • New cipher suites, such as PSK, Kerberos, ECC • New TLS extensions, e.g., authorization extension, identity protection extension. • RFC4017 requirements: channel binding, identity protection, shared state equivalence. • RFC4017 requirement: authentication methods beyond certificates • User name and password, secure token card, mobile credentials, asymmetric credentials (password one side and private/public key on other side) • Any others: enrollment, arbitrary data exchange, bootstrapping? EMU WG, IETF 66
Weak Password Support • Part of the WG charter • Support existing databases with weak password • Existing solutions are thru tunneling TLS based method., e.g., PEAP, EAP-FAST, EAP-TTLS. • Do we continue to use TLS-based approach? • Does it make sense to develop a single enhanced EAP-TLS protocol to address this requirement? EMU WG, IETF 66
How Many EAP-TLS Types are Required? • Type 13 for RFC2716 EAP-TLS • Type X for Enhanced EAP-TLS • Type Y For EAP-TLS PSK • Type Z for weak password support • Type ? for … Or a single EAP-TLS based method to support all enhanced features? EMU WG, IETF 66
Proposal • Develop an Enhanced EAP-TLS method supports all requirements in Slide 2. • Allow client optionally not send client certificate in TLS handshake but go thru a second inner authentication in the protected TLS tunnel, which supports legacy weak password database. • It could be done thru inner EAP method in TLS Application data or TLS InnerApplication exchange. EMU WG, IETF 66