Re: [Emu] WG Last Call: draft-simon-emu-rfc2716bis-05

[badra at isima.fr]

Hi Bernard,

>So
> adding 1.5 round-trips for an initial exchange will typically not
> represent
> much of a performance penalty in intranet scenarios.

Does the server send no empty certificate_request in each TLS session? If
then it will cost at least 2 more round-trips. Whatever, my concern is
about charging the server, especially when forged clients try to connect.
The authentication server will not be able to detect such an action early.

>the set of Identity protection ciphersuites described in the
> document are limited, so that an EAP-TLS implementation might not be able
> to
> negotiate the ciphersuites that it would prefer along with identity
> privacy.

Recently, there was a discussion on the TLS mailing list* regarding static
DH implementation, showed that the static DH ciphersuites rarely seems to
be supported, especially with
(http://www1.ietf.org/mail-archive/web/tls/current/msg00856.html)

- The Certicom SSL-C.
- cryptlib (definitely doesn't do static DH).
- PureTLS (hasn't tested static DH).
- OpenSSL

I don't know if TLS implementations of Microsoft support static DH
ciphersuites.

Identity protection ciphersuites supports all ciphersuites except those
based on static DH (static DH may be added, but not a full identity
protection will be therefore provided).

Best regards,
Badra

_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu