EAP Method Update (emu) ----------------------- Charter Last Modified: 2009-02-11 Current Status: Active Working Group Chair(s): Joseph Salowey Alan DeKok Alan DeKok Security Area Director(s): Sean Turner Tim Polk Security Area Advisor: Sean Turner Mailing Lists: General Discussion:emu@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/emu Archive: http://www.ietf.org/mail-archive/web/emu/current/maillist.html Description of Working Group: The Extensible Authentication Protocol (EAP) [RFC 3748] is a network access authentication framework used in the PPP, 802.11, 802.16, VPN, PANA, and in some functions in 3G networks. EAP itself is a simple protocol and actual authentication happens in EAP methods. Over 40 different EAP methods exist. Most of these methods are proprietary methods, but some are documented in informational RFCs. In the past the lack of documented, open specifications has been a deployment and interoperability problem. There are currently only two EAP methods in the standards track that implement features such as key derivation that are required for many modern applications. Authentication types and credentials continue to evolve as do requirements for EAP methods. This group is chartered to work on the following types of mechanisms to meet requirements relevant to EAP methods in RFC 3748, RFC 4017, RFC 4962 and EAP Keying: - A mechanism based on strong shared secrets. This mechanism should strive to be simple and compact for implementation in resource constrained environments. - A document that defines EAP channel bindings and provides guidance for establishing EAP channel bindings within EAP methods. - Enable TLS-based EAP methods to support channel bindings. This item will not generate a new method; rather, it will focus on adding support for EAP channel bindings to the tunneled method (described below), and if possible, other TLS-based EAP methods. Potential mechanisms for adding channel binding support will be investigated, including tunneling of channel binding parameters, or a TLS extension, or other standard TLS mechanism - A mechanism to support extensible communication within a TLS protected tunnel. This mechanism will support meeting the requirements of an enhanced TLS mechanism, a password based authentication mechanism, and additional inner authentication mechanisms. It will also support channel bindings (as described above) in order to meet RFC 4962 requirements. - A mechanism that makes use of existing password databases such as AAA databases. This item will be based on the above tunnel method. Goals and Milestones: Done Form design team to work on strong shared secret mechanism Done Submit 2716bis I-D Jun 2006 Submit first draft of enhanced EAP-TLS I-D Done Submit first draft of shared secret mechanism I-D Done Form password based mechanism design team Aug 2006 Submit 2716bis draft to IESG for Proposed Standard Nov 2006 Submit 2716bis draft to IESG for draft standard Dec 2006 Submit first draft password based method I-D Jan 2007 Submit Strong Shared Secret Mechanism to IESG Jan 2007 Submit enhanced EAP-TLS to IESG Aug 2007 Submit password Based Mechanism to IESG Jun 2008 Submit Tunnel and Password Method requirements first Draft Sep 2008 Submit EAP Channel Bindings First Draft Sep 2008 Submit Tunnel Method first draft Oct 2008 Submit TLS based method channel binding first draft Oct 2008 Submit Password Method first draft Jan 2009 Send EAP Channel Bindings to IESG Mar 2009 Send Tunnel Method to IESG Apr 2009 Send TLS based method channel binding to IESG Apr 2009 Send Password based method to IESG Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jun 2008 Sep 2010 Requirements for a Tunnel Based EAP Method Dec 2008 Jul 2010 Channel Binding Support for EAP Methods Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC5216 PS Mar 2008 The EAP TLS Authentication Protocol RFC5433 PS Feb 2009 Extensible Authentication Protocol - Generalized Pre-Shared Key (EAP-GPSK) Method