IETF Logo Mail Archive

Re: [Emu] Working Group Last Call for draft-ietf-emu-tls-eap-types

Alan DeKok <aland@deployingradius.com> Tue, 14 June 2022 18:12 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988ECC14F748 for <emu@ietfa.amsl.com>; Tue, 14 Jun 2022 11:12:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8wH9lOorZyi for <emu@ietfa.amsl.com>; Tue, 14 Jun 2022 11:12:41 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28BDCC14F73D for <emu@ietf.org>; Tue, 14 Jun 2022 11:12:40 -0700 (PDT)
Received: from smtpclient.apple (216-188-224-5.static.grandenetworks.net [216.188.224.5]) by mail.networkradius.com (Postfix) with ESMTPSA id 14FE9135; Tue, 14 Jun 2022 18:12:26 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <85E7EBEB-A8A7-4BE7-A4F4-3FB759578DE9@vigilsec.com>
Date: Tue, 14 Jun 2022 13:12:24 -0500
Cc: Joe Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9A6481C6-64DC-430A-8E30-857E7971B029@deployingradius.com>
References: <CAOgPGoCmE-dQ_frOp=vV0Oc=u_=k+QZ3W9JOo_NOwFijiQppqg@mail.gmail.com> <85E7EBEB-A8A7-4BE7-A4F4-3FB759578DE9@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/08wvDyMew6cvZAvLy-Z7I5YsbP4>
Subject: Re: [Emu] Working Group Last Call for draft-ietf-emu-tls-eap-types
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 18:12:43 -0000

On Jun 13, 2022, at 3:57 PM, Russ Housley <housley@vigilsec.com> wrote:
> 
> Major concerns:
> 
> Section 3, 3rd para: It is unclear to me what "relevant resumption and/or EAP type" means.  Please expand this discussion.

  In context:


As a result, implementations MUST check for application data once the
TLS session has been established.  This check MUST be performed before
proceeding with another round trip of TLS negotiation.  If application
data is available, it MUST be processed according to the relevant
resumption and/or EAP type.

  The intent here is to say "if there's application data, just use that".  I think the reference to "resumption" is superfluous, and can be removed or clarified.

  Perhaps:

As a result, implementations MUST check for application data once the
TLS session has been established.  This check MUST be performed before
proceeding with another round trip of TLS negotiation.  If application data is
received by the EAP peer, any session tickets offered by the supplicant
MUST be ignored, and resumption MUST NOT take place.

The interpretation and processing of application data is dependent on the EAP type
which has been negotiated.  On receiving application data, an EAP implementation
MUST follow the relevant specification (defined by the EAP type) for processing
that application data.

  We didn't need similar text for TTLS / PEAP / FAST, because application data was always interpreted as that particular EAP type.  We need some clarifying text here, because we're talking about TLS-based EAP types in general, and not any specific type.

  I'm not sure how to clarify this any more, otherwise than by deleting the text.

> Minor concerns:
> 
> Section 2 says:
> 
>    There remain some differences between EAP-TLS and other TLS-based EAP
>    methods which necessitates this document.  The main difference is
>    that [RFC9190] uses the EAP-TLS Type (value 0x0D) in a number of
>    calculations, whereas other method types will use their own Type
>    value instead of the EAP-TLS Type value.  This topic is discussed
>    further below in Section 2.
> 
> I assume this should be a forward pointer to Section 2.1.

  Sure.

> Section 2.1 uses || to indicate concatenation, but Section 2.2 uses |.  Please pick one.

  RFC 9190 uses ||, so we'll stick with that.  The text in Section 2.2 was lifted from RFC 7170, which uses |

> 
> Section 2.1 says:
> 
>    ...  There does not
>    appear to be compelling reasons to make the labels method-specific,
>    when they can just include the logical Type in the key derivation.
> 
> I think it would be more clear to say that the inclusion of the logical Type makes the result method-specific.

  OK.  I'll update the text.

> 
> Nit:  The author on the title page should be "A. DeKok"

  Fixed, thanks.

 Alan DeKok.

v2.23.0 | Report a Bug | By Email