Re: [Emu] EAP-TLS 1.3 Section 2.2 text
Joseph Salowey <joe@salowey.net> Fri, 21 May 2021 05:23 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 939E83A187F for <emu@ietfa.amsl.com>; Thu, 20 May 2021 22:23:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I01gFgGnTP9l for <emu@ietfa.amsl.com>; Thu, 20 May 2021 22:23:24 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB293A187D for <emu@ietf.org>; Thu, 20 May 2021 22:23:24 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id e11so22464064ljn.13 for <emu@ietf.org>; Thu, 20 May 2021 22:23:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aWI7MFvoTcZOJE6r3ZHnUGx1VgLM0fJWY4KmWfOIVIE=; b=i3boL8v+bta0CCtwEfDjTEfjL1vUkVgqGQ6dYuA5mM2sOfHXnQSozb6KsimeXHlJqO NzWdOJoqZCM5PUshh0mZsm/Ho+YTQhQ+G4uQdWXlDonIjcizLaDAP9X7K0XMPL0NS3Xc hnRfLy/r8wEyb9+MpV3dU47uewx9k929QBZ/safOB1fxc6U/M6eoMdsqGOBsvEB1inxI RFSgOTmE8IVnpZwstmOOfosTyu5+JOW9yRDpW1mkd1wSywcBJ+agz9LokOmzIPOPUM3h h3Hj3KrzwkhDLGVXhyuqrAJ0LPYNApuUo5dNTwX8wJaYYSY8/nKr03DhKXzcsP64fTCU BAuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aWI7MFvoTcZOJE6r3ZHnUGx1VgLM0fJWY4KmWfOIVIE=; b=MbRO9x0haQ30f48md/qJtD80DGDrL1tkCDgH31gAwMBbdWt2hi3/6BBePY2ArJ0Foz s1eGU8d/iYOHTtW+IH/WSZF4E2OTbw7EqKkyQ1hoRzfHAex/NcDnK62ni0vi8d5EgsTz s0wX5yLICEH3dMzV+AiKsU7mOHGL2pbT8QondAaLERnCPgUeYjtjtpL56/pv5/Ci20bv cfkQP/USU+FZzWagricCJKyUBWCrYiygS6+GIJzl0eq6yJ0FgsMaeKnoCXDRQKWGsSsQ lkolw3JDVpMcSayxZSEmEIuR0k8sgZBdHAQFWjR0/wzLFgjuOP5B5lcD0JUaltq1dYvD +90Q==
X-Gm-Message-State: AOAM530JIVt8mbegvXCyzPLWVHCWDMSCNusysuLkf39harA6yUTGLHFV 5cbLaw3RsHFoel54duzV8+Y7nPv3THwQZrebbaUXVQ==
X-Google-Smtp-Source: ABdhPJyksCl9nMLQMWEY2UgJtCixMe3QuSbyjcqE2hjT9cfrYnkqx/pG6kZQTEgCpEVKgkTTjZPSFqx960kKOrTwT9c=
X-Received: by 2002:a2e:575d:: with SMTP id r29mr5420190ljd.32.1621574601950; Thu, 20 May 2021 22:23:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoBDcbDxGB3_Qy_xXymhnxrfMaOPNP545eMh8XLvU6OX+A@mail.gmail.com> <92D9824F-82C2-440F-807F-7B4799DCF1B6@deployingradius.com> <CAOgPGoAd3CcaqPYd0aYXBDtCmv32T8hpGH+6ysEn7Pi9M+FSiw@mail.gmail.com> <4698EFD4-83B5-4B77-93E8-0E12FE8BC2DD@vigilsec.com> <CABXxEz-Jzfd4_8=bx8DquchkQVj8Hf07m0U8tYWO9-rFtBjqBw@mail.gmail.com> <CABXxEz9th6-JOgHKqEC5W7XQoi3NKUN3_8F3O_14k6nAdwmgRQ@mail.gmail.com> <F6B720FD-CF54-4953-A598-C6713CC10042@deployingradius.com>
In-Reply-To: <F6B720FD-CF54-4953-A598-C6713CC10042@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 20 May 2021 22:23:11 -0700
Message-ID: <CAOgPGoD4hGS4FBaVV4oopEy+0YOeLzUuYD=hGcTrHXcqSQo9AA@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Oleg Pekar <oleg.pekar.2017@gmail.com>, Russ Housley <housley@vigilsec.com>, EMU WG <emu@ietf.org>, stpeter@mozilla.com
Content-Type: multipart/alternative; boundary="000000000000205ea505c2d042d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/-XAoBp20wvlgzPEOiee7qHp9ywM>
Subject: Re: [Emu] EAP-TLS 1.3 Section 2.2 text
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 05:23:30 -0000
On Wed, May 19, 2021 at 5:58 AM Alan DeKok <aland@deployingradius.com> wrote: > On May 19, 2021, at 8:37 AM, Oleg Pekar <oleg.pekar.2017@gmail.com> wrote: > > After thinking a bit more about it - for the sake of the client > implementation clarity, would it be better if we provide the strict > algorithm for server identity check or maybe reference RFC 6125. > > Given the time frame and what we know, I think the existing text is OK. > > [Joe] In addition the intent of the text is to make implementers aware of the issues and provide some guidance as to how to solve the problem. I don't think we can dictate too much more at this point. We can have follow-on work to have a strict algorithm is depolyers and implementers feel it is necessary. > This is what wpa_supplicant does in it's implementation, and it seems to > work fine. Apple appears to do the same thing: > > > https://opensource.apple.com/source/eap8021x/eap8021x-264.30.3/EAP8021X.fproj/EAPTLSUtil.c.auto.html > > Look for "trusted_server_names", which leads to: > > > https://opensource.apple.com/source/eap8021x/eap8021x-156/EAP8021X.fproj/EAPTLSUtil.c > > server_name_matches_server_names() > > Which checks if the name from the cert is an exact match for one of the > "trusted_server_names", or contains "*." followed by a suffix which is one > of the trusted server names. > > I think it's past the time where this document can ask supplicants to > change their behavior. We know what the supplicants do, it's not wrong, > and it seems to work. So let's document that, and move on. > > Alan DeKok. > >
- [Emu] EAP-TLS 1.3 Section 2.2 text Joseph Salowey
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Alan DeKok
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Joseph Salowey
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Alan DeKok
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Eliot Lear
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Russ Housley
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Oleg Pekar
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Oleg Pekar
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Alan DeKok
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Joseph Salowey
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Joseph Salowey
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Alan DeKok
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Heikki Vatiainen
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text Oleg Pekar
- Re: [Emu] EAP-TLS 1.3 Section 2.2 text John Mattsson