Re: [Emu] [Technical Errata Reported] RFC9190 (7577)
Alan DeKok <aland@freeradius.org> Sat, 29 July 2023 23:12 UTC
Return-Path: <aland@freeradius.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1322CC14CE4A for <emu@ietfa.amsl.com>; Sat, 29 Jul 2023 16:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6AVO_BOlxTx for <emu@ietfa.amsl.com>; Sat, 29 Jul 2023 16:11:58 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9580BC14CE52 for <emu@ietf.org>; Sat, 29 Jul 2023 16:11:58 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 05F201FD; Sat, 29 Jul 2023 23:11:53 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=fail (p=reject dis=none) header.from=freeradius.org
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@freeradius.org>
In-Reply-To: <20230729230755.4EA614C94A@rfcpa.amsl.com>
Date: Sat, 29 Jul 2023 19:11:52 -0400
Cc: John Mattsson <john.mattsson@ericsson.com>, mohit@iki.fi, rdd@cert.org, paul.wouters@aiven.io, joe@salowey.net, peter@akayla.com, emu@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <368AD6AF-80E2-4F42-BF31-E0A96E85710E@freeradius.org>
References: <20230729230755.4EA614C94A@rfcpa.amsl.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/1vD-9GZFEj-3XuU5EYSDxGL8XAs>
Subject: Re: [Emu] [Technical Errata Reported] RFC9190 (7577)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2023 23:12:04 -0000
RFC 9427 section 4 says: The EAP peer MUST in turn check for the existence of the protected success result indication (one octet of 0x00) and cause authentication to fail if that octet is not received. This is largely a nit, I think. But it's good to be explicit. This was found by going through the TEAP document / 9190 / 9427 , and comparing the text on resumption and protected success indication. > On Jul 29, 2023, at 7:07 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC9190, > "EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7577 > > -------------------------------------- > Type: Technical > Reported by: Alan DeKok <aland@freeradius.org> > > Section: 2.5 > > Original Text > ------------- > When an EAP-TLS server has successfully processed the TLS client > Finished and sent its last handshake message (Finished or a post- > handshake message), it sends an encrypted TLS record with application > data 0x00. The encrypted TLS record with application data 0x00 is a > protected success result indication, as defined in [RFC3748] ... > > > Corrected Text > -------------- > (append) > > If the EAP-TLS peer does not see the protected success indication, it > MUST behave as if it had received an EAP Failure instead. > > Notes > ----- > This is largely a nit, but it's reasonable to say this. > > The existing text discussed what the server must do, But it does not say what the > peer does if the server fails to behave this way, > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC9190 (draft-ietf-emu-eap-tls13-21) > -------------------------------------- > Title : EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3 > Publication Date : February 2022 > Author(s) : J. Preuß Mattsson, M. Sethi > Category : PROPOSED STANDARD > Source : EAP Method Update > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu
- [Emu] [Technical Errata Reported] RFC9190 (7577) RFC Errata System
- Re: [Emu] [Technical Errata Reported] RFC9190 (75… Alan DeKok