EAP-TLS with TLS 1.3 is standardized in RFC 9190. Section 2.1.1 specifies Authentication. The RFC states that PSK authentication shall not be used except for resumption. This is surprising, because TLS 1.3 allows authentication with PSK (and optionally key agreement with ECDHE). Is there a fundamental reason why PSK authentication is not allowed in, or not compatible with EAP-TLS 1.3?
Asked
Active
Viewed 125 times
2
-
1https://datatracker.ietf.org/doc/html/draft-mattsson-emu-eap-tls-psk-00 provides a proposal for EAP-TLS with PSK authentication (EAP-TLS-PSK). The proposal does not identify any fundamental objections to PSK authentication, and simply defines a new IANA method identifier. – Mark Thomas May 18 '22 at 10:03
1 Answers
2
It is not clear why external PSK is forbidden in EAP-TLS with TLSv1.3.
One drawback is that the external PSK identity is transmitted in cleartext which could have a negative privacy impact. The client certificate is transmitted encrypted in TLS v1.3.
(Note that in TLS v1.2, the client certificate is often/usually transmitted in cleartext.)
Moreover, the TLS v1.3 specification requires that each PSK is only used with a single hash function which is not so great from an ergonomics point of view. The proposed importer mechanism mitigates this problem but is currently only a draft.
ysdx
- 851
- 6
- 14