jfisherbah
commented
2 years ago Note also that the EAs from the previous draft of the EP are no longer applicable to the updated SFR since it was changed significantly. New EAs will need to be developed once we determine how to update the SFR with respect to the issue raised.
The updated copy of FCS_RADSEC_EXT.1 defers to the NDcPP for the (D)TLS implementation. However, one issue with this is that FCS_RADSEC_EXT.1.2 allows PSKs instead of X.509 certificates for authentication. The NDcPP (D)TLS requirements only define ciphersuites that use X.509 for authentication and so there is no coverage of the PSK case, e.g. TLS_PSK_WITH_AES_128_CBC_SHA as defined in the previous version of the SFR.
Need to resolve what happens to the (D)TLS claims in the event that RadSec is claimed but only PSK is used for authentication, unless the solution is to mandate X.509 for this.