IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

John Mattsson <john.mattsson@ericsson.com> Fri, 20 September 2019 10:41 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D76812001A; Fri, 20 Sep 2019 03:41:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LiXBwN3Bz38; Fri, 20 Sep 2019 03:41:56 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150051.outbound.protection.outlook.com [40.107.15.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CADEE12008D; Fri, 20 Sep 2019 03:41:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U7/PLysjne+reeTSWirZ8E99CXm0z4ONgHk3H0awgcA2iRqUapiUSnXzfqoxN1dGm7Kyk9JDeHK9FUBfwMzIA/TmA7EzaxnlO3ZYRx01AoM5yUbDP3Hf+lqZjnSH+4JlxAjz/EyRKgxgmc/5GoS771sdF5/v6eISP3GkCNtcWEfV3t+puK0nMEqcq4bi99KzZywWahlNEoChvw9js9GVoK9xpFK7myRo8M4LF1aS7jkZbhu3A4zbgzx/kN4ysF6sqWEVICeG/FqHd8Ir3WYNYgU4J34jQR0Zra/wwi8XmAat4HFQqkZE3G75/h3mFBn4Le+7GWvqfE3FS2jqRrxXuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lzSQ4nRO9SMhAFt6Pa1MEHlId2DgzTqWtfxVNn6O0Wc=; b=KaWmk5wN+FfXvJyQkp0es1mrKHBH5cGfk+W7UUF8DMOko94w3GB0n7G0oVQYzeqqZrWRGy1gNwx8UuY9WLHdHqvpOVamu4gBtOAjFP7u20GXY5OGXFHKMqAMjY/Mpyz1ZZysEcxVRnbsMTyvw9a84ZaXtBI+Nx376WPv27zvolw1ee3XXpM87h3msLhazHEKkfnehulzoD0sloHlANNiWrjipLqrCfnDf0G1oaGnLxvEJdzy6b53e3SuDNskFj+AM1sjVDRSJAcAhZe2V29OZIwnee2cYD1dLsrGAIXKebzMZ5AgiNPW5AQWWEw+hmh+zhobbVpHkT3Z1j3e23lEmA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lzSQ4nRO9SMhAFt6Pa1MEHlId2DgzTqWtfxVNn6O0Wc=; b=qpB9YAwbqLN4mQS+1c+ihw7ah90AqHQxgCQkvOFXOfWECR3B4gQ8zoHR4l9T2gMRydlalI4XZ1ZIhtT+CnUcm/K9dqKjaCc2KjjnztUfuzi3MiQZOFrXM6ZdU0/+AWb03atvHYjNnmoDCg+nqYNekDev+rRcqb4XLCneF4jCAvY=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB4217.eurprd07.prod.outlook.com (20.176.162.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.10; Fri, 20 Sep 2019 10:41:53 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2284.023; Fri, 20 Sep 2019 10:41:53 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Alan DeKok <aland@deployingradius.com>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Thread-Index: AdVKJoKyKr1G5+9hQuKLAEK5rLYqPgfSdnOQAABeFAAABkCJgP//55mA//bAJjCAEoqCAIADGZ8A
Date: Fri, 20 Sep 2019 10:41:53 +0000
Message-ID: <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com>
In-Reply-To: <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 12b88d8b-2e7d-444e-2b79-08d73db726b6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4217;
x-ms-traffictypediagnostic: HE1PR07MB4217:
x-microsoft-antispam-prvs: <HE1PR07MB4217A45666EE7DF9B23586C189880@HE1PR07MB4217.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0166B75B74
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(39860400002)(366004)(346002)(396003)(199004)(189003)(13464003)(2501003)(2906002)(6486002)(6436002)(6512007)(229853002)(33656002)(6246003)(25786009)(6116002)(99286004)(3846002)(2616005)(186003)(26005)(11346002)(102836004)(53546011)(36756003)(6506007)(446003)(66066001)(14454004)(76176011)(478600001)(110136005)(81156014)(5660300002)(316002)(81166006)(8676002)(66446008)(66946007)(76116006)(66556008)(91956017)(8936002)(58126008)(64756008)(66476007)(86362001)(71190400001)(486006)(14444005)(44832011)(71200400001)(476003)(256004)(305945005)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4217; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 98bPCP3wEswLU+RmNyhH7jnaaXatxuVB36wosSRXeqBd+//XwxdiL81Cetb36onoCHgDEFoAos+yET3qzDb9YZ7NTBFoKVGEGw9zt1O/vpzdqC5/srFDmtelAaIoEp/nDnxQZnLD6UHIvF8+xYOaG5otnupN/3KmxgdptqEaAWkbhdQhW789wHnHMwNFWZVrqpRDu1NzUu5nPUhFLpf6TCrBh1Ukrrcma0yCJgmEzguL0Nk58UlVaIZ+Q9U3Sz9G2c8voRVhGU2s6DeLbDEn9QcpelHT6yFKuHWwI6eigEDZnsLy0UOEe74Qe5WBx5RNPKux9cqO3zUa2sHP9ewUlbcoGDCsEVyT43n3nmSlhYNTsbhMEIn73j8SXwRXhgq7vG6GHTRoHGM35snS3kZJZFaQeVFwGDBsVhOS7G2CnUI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <E0280B994F5C024191FAD50D59FA2C24@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 12b88d8b-2e7d-444e-2b79-08d73db726b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Sep 2019 10:41:53.1678 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u+Oshxt4AIy0DGW8fd9CwtBReFIkkTr6po7f/LbIMp36BW5qVVn4YDsHAmMgn9l440MkUf8agRu0CLTLrVRWu/7AY7Isu58oMBQe7qwOuAk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4217
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/-7bimJV-9fyStWwA26Da_y7JIcc>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 10:41:59 -0000

Hi Alan,

I added references to RFC 8446 Section 8.1, and 8.2, and 4.2.11. Agree that they are good to point out.

I am not sure about the other suggestions, I am hesitant to discuss anything detailed about TLS 1.3 that does not have a specific connection to EAP-TLS or are useful for users of EAP-TLS. My feeling is that adding some extension, but not other would be even more confusing. The diagrams are there to show the message flows, which have a strong connection to the EAP state machine. For other details I think implementors have to read RFC 8466.

/John

-----Original Message-----
From: Alan DeKok <aland@deployingradius.com>
Date: Wednesday, 18 September 2019 at 15:21
To: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, EMU WG <emu@ietf.org>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Resent from: <alias-bounces@ietf.org>
Resent to: John Mattsson <john.mattsson@ericsson.com>, <mohit@piuha.net>
Resent date: Wednesday, 18 September 2019 at 15:21

      Just re-reading the text on PSK, I noticed a few things.  The text in Section 2.1.2 talks about PSK, the session ticket, and a "key_share" extension.   The accompanying diagram doesn't include any of those.  I suggest updating the diagram to include them.
    
      As a related note, if the PSK *is* in the resumption cache, but the key is wrong, the cache entry should not be discarded.  Otherwise an attacker can disable caching for *all* users.  This issue could be clearer in this document.
    
      Perhaps it would be useful to add a short note in Section 5 about security of resumption.  It should reference RFC 8446 Section 8.1, and 8.2, which discuss this issue.  Also, Section 4.2.11 of that document has an "Implementor's note:" which is important.
    
      Alan DeKok.

v2.23.0 | Report a Bug | By Email