Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)

Alan DeKok <aland@deployingradius.com> Thu, 08 July 2021 13:11 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C823D3A185C for <emu@ietfa.amsl.com>; Thu, 8 Jul 2021 06:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKoZYd1gc7Nn for <emu@ietfa.amsl.com>; Thu, 8 Jul 2021 06:11:02 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C441C3A1857 for <emu@ietf.org>; Thu, 8 Jul 2021 06:11:01 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id A0699168; Thu, 8 Jul 2021 13:10:56 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <085b01d773c5$d9d167d0$8d743770$@securew2.com>
Date: Thu, 8 Jul 2021 09:10:55 -0400
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B4B543CD-E0B2-45E2-BD8C-5E63FC2439CF@deployingradius.com>
References: <CAOgPGoDX9HdmgvmnWz_xUTqXMM7pd4_T9W3opFR77ce8CNWdQQ@mail.gmail.com> <CABXxEz9GSgGof6t_3w3AngH6-FrMbKzDGKpDS90-N2gtmgqgnA@mail.gmail.com> <CAOgPGoBLb-70jynH7o26nyF4T=+ZcCk6GMb6zyXk6E8+erTjqQ@mail.gmail.com> <CAOgPGoADC_z4v2pUOAXC+HW1-P_OOuLOL5zR9tBjTCXXV7-22A@mail.gmail.com> <2c67a3b5-de25-cd3e-5b7c-e01e11a05ab1@ericsson.com> <085b01d773c5$d9d167d0$8d743770$@securew2.com>
To: Tom Rixom <tom.rixom@securew2.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/BrNG_vEoGYvJafbBsCsBUDZDwAU>
Subject: Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 13:11:07 -0000

On Jul 8, 2021, at 2:52 AM, tom.rixom@securew2.com wrote:
> Maybe this has been discussed already, but we often see the need for multiple root cas when people are migrating the root CA of their RADIUS server. They would then configure both the old and new Root CA in the client to allow seamless transition. 

  Yes, that makes sense.  Perhaps instead:

SHOULD allow for the configuration of one or more trusted root (CA
   certificates) 

  Alan DeKok.