One question related to EAP-TLS is what do we do with other TLS-based EAP methods?
i.e. EAP-TTLS, PEAP, and EAP-FAST all define key derivations based on the PRF in TLS 1.2. Since that's no longer available with TLS 1.3, *all* of these methods will not work with TLS 1.3. The simplest way to fix this is to change the key derivation in draft-mattsson-eap-tls13-03: Key_Material = TLS-Exporter("client EAP encryption KM", "", 128) IV = TLS-Exporter("client EAP encryption IV", "", 64) Session-Id = TLS-Exporter("client EAP encryption ID", "", 64) The second argument to the TLS-Exporter function is the "context". In this case, an empty string. That could be changed to a one-byte value containing the EAP type. This changes nothing (effectively) for EAP-TLS. Plus, it allows natural extensions to the other TLS-based EAP methods. They could just change that one byte, and enable TLS 1.3. Even if that isn't done, I think the proposal is the simplest way to fix the other EAP methods. The EAP-TLS document could then just say "other EAP methods based on TLS can change the byte to their EAP type". I think a minor change to the draft && one sentence is preferable to writing a new document to define this change. Or, the charter already has a line item for: - Define session identifiers for fast re-authentication for EAP-SIM, EAP-AKA, and EAP-AKA’. The lack of this definition is a recently discovered bug in the original RFCs. I owe the WG a document for that. If the above change isn't accepted, I can add some text on TLS 1.3 key derivation, too. The document could then be a generic "fix keys in EAP methods" document. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu