Fwd: I-D ACTION:draft-nir-tls-eap-00.txt
Yaron Sheffer <yaronf <at> checkpoint.com>
2007-06-12 08:33:46 GMT
we have recently
submitted this revised draft, which should be of interest to the TLS
community. I am cross-posting to the EAP list, as some people raised
issues around the applicability of EAP to this proposal.
Your comments are very
welcome. Please reply to the TLS list.
-------- Original Message --------
A New Internet-Draft is available from the on-line Internet-Drafts
Title : TLS using EAP Authentication
Author(s) : Y. Nir, et al.
Filename : draft-nir-tls-eap-00.txt
Pages : 20
Date : 2007-6-11
This document describes an extension to the TLS protocol to allow TLS
clients to authenticate with legacy credentials using the Extensible
Authentication Protocol (EAP).
This work follows the example of IKEv2, where EAP has been added to
the IKEv2 protocol to allow clients to use different credentials such
as passwords, token cards, and shared secrets.
When TLS is used with EAP, additional records are sent after the
ChangeCipherSpec protocol message and before the Finished message,
effectively creating an extended handshake before the application
layer data can be sent. Each EapMsg handshake record contains
exactly one EAP message. Using EAP for client authentication allows
TLS to be used with various AAA back-end servers such as RADIUS or
TLS with EAP may be used for securing a data connection such as HTTP
or POP3. We believe it has three main benefits:
o The ability of EAP to work with backend servers can remove that
burden from the application layer.
o Moving the user authentication into the TLS handshake protects the
presumably less secure application layer from attacks by
o Using mutual authentication methods within EAP can help thwart
certain classes of phishing attacks.
A URL for this Internet-Draft is:
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request <at> ietf.org
with the word unsubscribe in the body of
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the
username "anonymous" and a password of your e-mail address. After
logging in, type "cd internet-drafts" and then
A list of Internet-Drafts directories can be found in
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv <at> ietf.org
In the body type:
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
To unsubscribe or modify your subscription options, please visit: