Technical Summary
The Extensible Authentication Protocol (EAP), defined in RFC 3748,
provides a standard mechanism for support of multiple authentication
methods. This document specifies the use of EAP-Transport Layer
Security (EAP-TLS) with TLS 1.3 while remaining backwards compatible
with existing implementations of EAP-TLS. TLS 1.3 provides
significantly improved security, privacy, and reduced latency when
compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS
1.3) further improves security and privacy by always providing
forward secrecy, never disclosing the peer identity, and by mandating
use of revocation checking. This document also provides guidance on
authentication, authorization, and resumption for EAP-TLS in general
(regardless of the underlying TLS version used). This document
updates RFC 5216.
Working Group Summary
The document had a lot of review and discussion. There is in general good consensus for moving the document forward. Towards the end of the WG discussion, an additional consensus call was needed to agree produce the normative language on OCSP usage.
This document was sent for IESG review in February 2021. IESG review uncovered a design issue (https://mailarchive.ietf.org/arch/msg/emu/3ZFWAx0of-67P6yhtMIdmx9BLNs/) which sent the document back to the WG. This document was updated, sent through WG and IETF LC and is now returning again to the IESG.
Document Quality
Much of the discussion on the list was based on comments from implemented of the previous version of the protocol or the proposed version of the protocol.
At least two public implementations of the protocol are available:
wpa_supplicant - https://w1.fi/cgit/hostap/
free radius - https://github.com/FreeRADIUS/freeradius-server
Personnel
Document Shepherd - Joe Salowey
Responsible AD - Roman Danyliw