Re: [Emu] draft-ietf-emu-eap-tls13-16.txt

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 11 June 2021 18:12 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A04AA3A0D4E for <emu@ietfa.amsl.com>; Fri, 11 Jun 2021 11:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDe4RbzZyH9t for <emu@ietfa.amsl.com>; Fri, 11 Jun 2021 11:12:54 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80089.outbound.protection.outlook.com [40.107.8.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A53E3A0D49 for <emu@ietf.org>; Fri, 11 Jun 2021 11:12:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ixh9v3++uEX+ksIO+OqMXSsnj+Y/y6QiBUv3cQsDL6wOc3XHJ9siRF9Bmi3LPmh9WSSCJ4k6dzM9irMatH4q3bPaJkwb/sZaV6y+CWNpIBDZWN57vl03DZGYyJuRgBE5xI7aily+RXLEUvGW6Ieu4UPqJeV1IEGcORnQwu5ZGngJc5goYmOSd/arUqlpm/myhtYQTD5EBCDbuWSarNCgeSOAXWEB4hNUSAEAQy1IPjrjfDnUYPctAYqUCGpM+ZYadcXbajo3uH7ynuJoIYDZ7/MmB0Se5+nnRprtdmatTjmMfyEWYenur7nbX4i1Cnf1r9IxIl3GEbVbWFXvhCbOqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yE6CvgwD0bqMZmz8WEnQ8VOR85BXid+/4MHYzSbUveE=; b=S0/4ekSttYY3fgFaLsg5bLzIsLars2OmE01BQ13qOyQY1PLhshmuACla4v3hYRe8KFB9x2fRUxii0eWWJdx6WQxEw1uvLNpDEfOMj/Y6LFpBXv37PT0eNhqchuuXav0c9MJo2ZOiLXCR2RhIkaWCx5LHBU1UlbrAehS68FP/1w9UifsKlzqxY40WuNq7WLGMuoUr+n0ES6wXIMLgq4Zfc6REQT4CzPrcadyRgMkwQxmlYSmys4Pb6vyOcleOSWjxe1EuBSHJ/xCemyOCvwP5C/cbBuZhBmyTj234tjQv6fqQX7aGnYCFXzbPdZEpm5y703q0uvTofWHiHIHOl0QJOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yE6CvgwD0bqMZmz8WEnQ8VOR85BXid+/4MHYzSbUveE=; b=N6fd+VNdMiJAO+UEFZ58OSWlgJR2IVkec1YoTbH90KGwxRxcGun/egX+Tnf+KGXemlxjJA1tR4Qpu4LVkBzl+3p96OXF7811fNzioWAbM5Df6jJfl83td/G87+WahP8+YHicXKSQU36N7AsIPH/A90EmqnMqpgZICMKB+0oFrj0=
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com (2603:10a6:7:37::31) by HE1PR0701MB3051.eurprd07.prod.outlook.com (2603:10a6:3:57::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.17; Fri, 11 Jun 2021 18:12:48 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::9dbf:3074:b496:7704]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::9dbf:3074:b496:7704%7]) with mapi id 15.20.4242.013; Fri, 11 Jun 2021 18:12:48 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] draft-ietf-emu-eap-tls13-16.txt
Thread-Index: AQHXXu1iiig3ahf0bkmrEUqhb2Rw1g==
Date: Fri, 11 Jun 2021 18:12:48 +0000
Message-ID: <ac3fda5a-65ef-0e57-fdb0-fffdc08bb9e1@ericsson.com>
References: <CAOgPGoBXRAABeC_kCcCrsUPC03e8C_GGpzJHB+aWAue5sE=9zw@mail.gmail.com> <4789411B-9D6A-4A33-B465-DCEC2369E671@deployingradius.com> <BA5BC7E9-EC6F-4A10-9F19-284572AF2710@deployingradius.com>
In-Reply-To: <BA5BC7E9-EC6F-4A10-9F19-284572AF2710@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:1c1:9213:18c8:d286:224d:fbbb]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a66f74d2-7222-4e91-1a08-08d92d04850e
x-ms-traffictypediagnostic: HE1PR0701MB3051:
x-microsoft-antispam-prvs: <HE1PR0701MB305191357EC9EFF8CEF6D7EDD0349@HE1PR0701MB3051.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: taGpTWidrFCz6KDU/EIG0exuWkBVJ1Osniz787QAYvHrpEdd7kVj08CECRwjtZtFP1u6DaGsz84KaneYQzkgZKW4WiMLY6iyZcZq3i8Lmbx7TfKnTBlHBC99tBGAzbiAl8NSE8xCNTXf8k5ykwye3q4aFgoP0X0ByCuw50Q06pkGnUKbxtl2Xj7UIZFYqik9XdGrp3hTXawm8bUX1uF5YYqU9hVJkdYCMJYBqS1z3QQlAQK0N63D5SHrl1UG8G6e8L+TSFpYG97ciH3Jh5rvcGi11+g/r/Pq0xHdd0Me6akzP+O3w9fI53udpbMIgcrvMy1sPIDRo54r6haiuYwgr3omCsK60cKHT1XbNFLwIDwxsOiX1bYcFmM89Biv8cQ2Q/e07nJB/UgZr0cRzpoC3exQLuqKC+TVFYrvr6CLWgyUbOc4uuITx45ZVvroTG9HD/tf0dOiuzPYnA3S6ZMObn0Tz0bbbdHyopoLQbTh/T2paGv4J7EZy3zGjwPxTZIQkgDUZou+PgwhF/cYpww0HUOPvAZ89WKlwppzdsF9QwxZaX6Ew6NiYo05SwhNjSIW8DtL8FBEgyovk0vWAvvXL5LcuRp8olLttXq2lsbgRADLLRPjdwnRr/I6Id6gzIhHMpgWsVNcP/cNWvLcYmaIRJWShxvxGQFABvHbyLqGzyHPYR6s6C7pzY87H6jKhT+cV0e5FKIgeFNNDRuIPDAqJtHYtul3tck6Pe41DcoaJWFqV3infoyWKZvYvnGgv2QXSJ0kMmC0LkRI8gKC4htn3PNZkasbWjKZqTbJYsZhTdS2HUPGUROoBdV3KhaKQAexPrM6BUjpTUuvNyJXGg3DHkUC12Fck0Bm4f0X6RkCH1Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(366004)(136003)(396003)(39860400002)(30864003)(6506007)(122000001)(36756003)(53546011)(38100700002)(8676002)(186003)(966005)(6486002)(31696002)(2616005)(478600001)(83380400001)(86362001)(66476007)(66446008)(64756008)(76116006)(71200400001)(31686004)(5660300002)(8936002)(2906002)(66946007)(316002)(66556008)(6512007)(110136005)(45980500001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?Z24vWGd6RFZwaWRSU2lKZ2Q0MHdoMWQxTEpqaDR3MXdsYUNPcGZEWEs5VlVn?= =?utf-8?B?dnk0bWZRU2p2b0pBTWNJSWYybjZ6TVZWc0xLK3pNL3NCUiszbUtML2VCaUFG?= =?utf-8?B?T0IxdHo4S3RxR2lzQmZHbndUUzVXbTlJUWpBNUV0c2ZVUlFiWkp4K0dEelJJ?= =?utf-8?B?ZG9FVU9kY25qMGRjdHk1S2tKUUJWMmtJZkMrVEM2UUFJVEtBODk5WmxzSUkv?= =?utf-8?B?cWF2YldvUmFiWGRIaTZqQktjdCtFam9tOUdIUVV1WlArbXdweXRrbkJ0aGNQ?= =?utf-8?B?YllGM0MzTXRxTkZNSkJOYUR5MkRaelhVVmVNeXhGL2k4cWE2VUo5blBNWloy?= =?utf-8?B?WE1MNExnL1VqSzhoUU9SNnZCSUZHYUlwRnR6Yk1GTDRRTk51OFZYdGs1YVNj?= =?utf-8?B?SG9ITkc2bG9uVDBaeWw1YWZOOUhDSlFMM2RGRHZBVXVzb2orKzA1bUpUdmFk?= =?utf-8?B?VXBhQmUrcTlOYmVST0xoQmFXdDlnZHZyNkhHSjBnMDNjN09BTjFnVnJaV3JS?= =?utf-8?B?NWIrNU9YNWZ5aXNiejdveWllR3NNaitPNzJYZG5QbU1uRVZxSFVMNWhHMEVQ?= =?utf-8?B?OVJYdk5aL0ZCM1ZGdHNUVWxsUFljYnRsczhvS05ycllJMmZGT1ExOUZha0dH?= =?utf-8?B?S0RYSnBDRHk2aUpsNHBjeW5XTDdMSzl0Um1HWlB4QkpwUFArRjg1RFpWSldO?= =?utf-8?B?cnlCUThxMGw2QXFYb05qYXdaTDlEUE95VVlnamVJbWYyZkxYZ1o1VGdEaVFQ?= =?utf-8?B?WnlybDU5REd5eXpnM1MySDdQdm5aYXFEanRQekdXVmtNS2o5QW9Cc0xPbjI3?= =?utf-8?B?RmVLdGVQcnRQQnNDb0w5eUdSdzVDcGN0NzltS3pOU21zK2FrL1NpMUJKd1M0?= =?utf-8?B?NTFob3VHaCt6SCtXdTFrZlZMOUhqR3FkNVdwT2FvTzByMUd0eTlnOXcrbVBv?= =?utf-8?B?YlRac1dNZENqUzNwdWU3anl5bEo5RDBNc0orcE5aQzBlT2J2MWVDalVnVlky?= =?utf-8?B?VGxleS91SXBOTlQrNHVvNndScGZ6eFpJWW5iZXZtQnJvaEZvNFVpY1llbmI0?= =?utf-8?B?bW91SVJQcitHUFJuL0VlaFhzalowMlRidHNqbVpHMDQ0MUpUb3RqNW1YNlhu?= =?utf-8?B?VGpoM0lBZFRxRlJSaDlHMlgyZU1RQmtNZnlSYVpWU2p0UmdnUC91Z09MOE5M?= =?utf-8?B?ZnBJSGhVZWRzVTVoRDgyTzZZbFEyRHNFUjFkVE5WZnZFeUVtVVRoeDNiQS9y?= =?utf-8?B?dWx2VXovL0d6UHlhS0dhK1FMcEJvUG1yNWZid3VHbE91c2wzUWMwYWwvMDFP?= =?utf-8?B?SVhxcEhVQzlETVhkZWpJRytiajI5ejNzZWVsOUNOd094cnNuUG1PS3Nmekox?= =?utf-8?B?T2ZBTStjYlhod2Q2cHZYTFZvVU9xZUpPemUrRTA2YUV3a2pFWTdVZnNNSlh3?= =?utf-8?B?d3M0Z3BvQW1NSGFTYUxjNFdoNFZEbW1HaEhDQnNIc25YYnEyTTNsQkZQaFRV?= =?utf-8?B?QXdKU0lDU1B4UlEzYTR0SlZoNTNRcmxWaDlER2dMZlB2Z21rQ1lNMEgvM2Fw?= =?utf-8?B?dXB4VSsxek43Tzd3WGJjUkFyV3lIMWI5aEp4bm90YTFBNWcweDJlVmhjazN2?= =?utf-8?B?ZXcyVFNsU1c3QlN2S0gxMWo3REVmU3IzRFZyMzRYSU9RbGRFdFBDR2pwa2ow?= =?utf-8?B?eGd4aUVSekwyK3FRR0lVNzVpTlI1cHEzbGtjQVh5K1hCc0Y2VE1BZERWOHpN?= =?utf-8?B?dHJ1UXV4WWVValdJY29zMnUxVFdZRE5TN3pkb3hYVERCTHhRTzNnU0dhTkNK?= =?utf-8?B?SW40S09qTlYyd1daamxOUjF3bVRrQ0JaV1hFaFhYb0ljSnlXN1hDQnRwSUNN?= =?utf-8?Q?C2SIyuTgYIz5v?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <153E22A89F078B409C78AB0EEEC7F7B5@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a66f74d2-7222-4e91-1a08-08d92d04850e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2021 18:12:48.3569 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: J0vasTa9t2mSqwDz7w6T+bWasmjWs6KO1z139D7cbvMsIx267A4PlQoppAkAuS1LIPnL7uWSCVAXRdIucpmCnhZGgjp0Yrbt2A8JCU9m88Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB3051
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/5NafH_YFYib4cvk9glBZiHOO698>
Subject: Re: [Emu] draft-ietf-emu-eap-tls13-16.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 18:13:00 -0000

Hi Alan,

Response in-line.

On 6/11/21 4:38 PM, Alan DeKok wrote:
>    Some comments have been addressed, others not.  The majority of the issues raised in my review have been silently ignored.  Some issues are nits, some affect interoperability and security.
>
>    Until these issues are addressed, the document is insufficient to guide a reader into creating a secure and inter-operable implementation.
>
> Unaddressed without any comment or discussion:
>
>> Section 1 says:
>>
>>   While this document updates EAP-TLS [RFC5216], it
>>   remains backwards compatible with it and existing implementations of
>>   EAP-TLS.
>>
>> Other than the abstract, this is the only reference to EAP-TLS 1.3
>> being backwards compatible with older versions of EAP-TLS.  This
>> compatibility is simply asserted, with no further explanation given.
>>
>> Q: What does "backwards compatible" mean?  How is it achieved?
>>
>> Suggestion: add text explaining how it is backwards compatible.  How
>> will EAP-TLS 1.3 implementations negotiate EAP-TLS 1.2?  Perhaps
>> update Section 2.1 with text indicating that TLS version negotiation
>> is handled by the TLS layer, and thus outside of the scope of EAP-TLS.
>> Therefore so long as the underlying TLS implementation correctly
>> implements TLS version negotiation, EAP-TLS will automatically
>> leverage that capability.
The comment here says adding text about "TLS version negotiation". There 
is a comment from you below saying: "I don't understand why it's 
necessary to include discussion of TLS negotiation in EAP, when that 
negotiation does not affect EAP in any way." Am I missing something or 
is there conflicting feedback?
>>
>>
>> Section 2.1.1 says:
>>
>>   TLS 1.3 introduced the Post-Handshake KeyUpdate
>>   message which is not useful and not expected in EAP-TLS.
>>
>> Q: What does it mean that the message is "not expected"?  This seems
>> like a source of implementation-defined behavior, which experience
>> shows has been a source of interoperability and security issues.
>>
>> Suggestion: If there is no use for KeyUpdate messages, then mandate
>> that it SHOULD be ignored, or perhaps connections which use KeyUpdate
>> MUST be closed without updating the keys.  OpenSSL as APIs to
>> determine the status of key updates, so this suggestion is
>> implementable.
>    Addressed:
>
>> Section 2.1.3 says this about the session ticket:
>>
>>   ... If the EAP-TLS server
>>   accepts it, then the security context of the new connection is tied
>>   to the original connection and the key derived from the initial
>>   handshake is used to bootstrap the cryptographic state instead of a
>>   full handshake.
>>
>> Nit: This the the only reference to "bootstrap the cryptographic
>> state" in this document.  This text seems like an unnecessary
>> repetition of RFC 8446 Section 2.2.
>>
>> Suggestion: Perhaps say instead
>>
>>   ... If the EAP-TLS server
>>   accepts it, then the resumed session has been deemed to be
>>   authenticated, and securely associated with the prior authentication
>>   or resumption.
>>
>>
>> Section 2.1.4
>>
>>    In TLS 1.3 [RFC8446], error alerts are not mandatory to send after a
>>    fatal error condition.  Failure to send TLS Error alerts means that
>>    the peer or server would have no way of determining what went wrong.
>>    EAP-TLS 1.3 strengthen this requirement.
>>
>> NIT: strengthenS this requirement.
> Unaddressed without any comment or discussion:
>
>> Section 2.1.5 is essentially empty.
>>
>> Is there guidance as to when no peer authentication should /
>> should not be used?  Is it possible for an EAP peer to present a
>> client certificate, but have the EAP server ignore it?  What kind of network access should an EAP peer have if it does not use peer authentication?
>>
>>   Perhaps some of the text from Section 5.6 could be added here.
>>
>> Perhaps suggest that in the normal case, deployments SHOULD use peer
>> authentication.  Also that the "no peer authentication" case be
>> strictly limited in both time, and network access.
>>
>> e.g. The "no peer authentication" situation MUST NOT be used to give
>> normal network access to EAP peers.  Instead, deployments SHOULD
>> provide access which is limited in both time, and in capability.
>> Usually this means a "quarantine" network, or "walled garden", which
>> has only limited capability.
There is text already in the draft which says : "While the EAP server 
SHOULD require peer authentication, this is not mandatory, since there 
are circumstances in which peer authentication will not be needed (e.g., 
emergency services, as described in [UNAUTH]), or where the peer will 
authenticate via some other means.". This is what was said also in RFC 
5216. We also have also have the following text in the draft: "Some 
deployments may permit no peer authentication for some or all 
connections.  When peer authentication is not used, implementations MUST 
take care to limit network access  appropriately for unauthenticated 
peers and implementations MUST use resumption with caution to ensure 
that a resumed session is not granted more privilege than was intended 
for the original session.". I think we have tried to find a careful 
balance between providing sufficient guidance vs. being repetitive. Is 
there something that should be repeated in section 2.1.5?
>>
>> Also, the Security Considurations section has no discussion of the
>> security impact of not authenticating the peer.  As Section 2.1.5 is
>> new, it has major impacts on security, and thus needs to be discussed.
> Unaddressed without any comment or discussion:
>
>    I don't understand why it's necessary to include discussion of TLS negotiation in EAP, when that negotiation does not affect EAP in any way.
See above.
>
>> Section 2.1.6 says:
>>
>>   As defined in TLS 1.3 [RFC8446], EAP-TLS servers can send a
>>   HelloRetryRequest message in response to a ClientHello if the EAP-TLS
>>   server finds an acceptable set of parameters but the initial
>>   ClientHello does not contain all the needed information to continue
>>   the handshake.
>>
>> It's not clear why this section is necessary.  The text here appears
>> to be discussing internals of TLS layer negotiation, which are
>> invisible to EAP-TLS.  That is, this packet flow has no effect on the
>> EAP-TLS state machine, other than a different number of packets are
>> exchanged than with other packet flows.
>>
>> Question: Is it that "EAP-TLS server" does not have sufficient
>> information to continue the handshake, or is it "the TLS layer" ?
>>
>> Question: if the EAP-TLS implementation can do nothing other than ask
>> the TLS layer to continue the handshake, is this section even
>> necessary or relevant?
This section was added based on a review by Jim Schaad 
(https://mailarchive.ietf.org/arch/msg/emu/qO5qgQ-8GzB-jVx2vtrQCe42cCg/). 
If nothing else, I would like to keep it as a homage to him.
>>
>> Section 2.1.9 says:
>>
>>   Some EAP implementations and access networks may limit the number of
>>   EAP packet exchanges that can be handled.
>>
>> This is under-stating the issue rather severely.  We know with
>> absolute certainty that most (if not all) EAP implementations and
>> access networks limit the number of EAP packet exchanges.  Perhaps
>> update the text to reference implementation and interoperability
>> experience.
>     Addressed in part:
>
>    The updated text is clearer, but still does not address some of the questions raised below about calling this out as a new requirement from 5216, and what happens in an HA environment.
Please let us know a good reference to "implementation and 
interoperability experience." about the upper limit on EAP packet 
exchanges. This would also be useful for draft-ietf-emu-eaptlscert.
>
>> Section 2.2 has substantial new text which was not previously discussed on the WG mailing list.
>>
>>    The EAP server identity in the TLS server certificate is typically a
>>    fully qualified domain name (FQDN).  EAP peer implementations SHOULD
>>    allow users to configuring a unique trust root (CA certificate) and a
>>    server name to authenticate the server certificate and match the
>>    subjectAlternativeName (SAN) extension in the server certificate with
>>    the configured server name.
>>
>> Comment: How does this text related to RFC 5216 Section 5.2 ?  There seems to be substantial overlap.
>>
>> What does this text add to / change from RFC 5216 Section 5.2 ?
>>
>> Requiring a supplicant to be configured with a peer name is a new requirement from RFC 5216, and isn't called out as such.
I agree with you that we could benefit from more clarification on 
relationship between section 2.2 and 5.2 of this draft vs. the old RFC 
5216. Do you have a suggestion how best to split the text and reflect 
the updates to RFC5216?
>>
>> What happens in a high availability (HA) environment?  Are all of the EAP servers required to have the same FQDN?
>>
>> While this text is intended to increase security, there are implementation and operational considerations which need addressing.
>>
>>    In the absence of a user-configured root
>>    CA certificate,
>>
>> Comment: I'm not sure what that means.  It seems to assume certain things without explaining them.
>>
>>    The process of configuring a root CA certificate and a server name is
>>    non-trivial and therefore automated methods of provisioning are
>>    RECOMMENDED.  For example, the eduroam federation [RFC7593] provides
>>    a Configuration Assistant Tool (CAT) to automate the configuration
>>    process.  In the absence of a trusted root CA certificate (user
>>    configured or system-wide), EAP peers MAY implement a trust on first
>>    use (TOFU) mechanism where the peer trusts and stores the server
>>    certificate during the first connection attempt.  The EAP peer
>>    ensures that the server presents the same stored certificate on
>>    subsequent interactions.  Use of TOFU mechanism does not allow for
>>    the server certificate to change without out-of-band validation of
>>    the certificate and is therefore not suitable for many deployments.
>>
>> i.e. when there's an HA configuration.
>    Addressed.
>
>> Section 2.3 says:
>>
>>
>>    When EAP-TLS is used with TLS version 1.3 the Key_Material, IV, and
>>    Method-Id SHALL be derived from the exporter_secret using the TLS
>>    exporter interface [RFC5705] (for TLS 1.3 this is defined in
>>    Section 7.5 of [RFC8446]).
>>
>>    Type-Code  = 0x0D
>>    MSK        = TLS-Exporter("EXPORTER_EAP_TLS_MSK",Type-Code,64)
>>    EMSK       = TLS-Exporter("EXPORTER_EAP_TLS_EMSK",Type-Code,64)
>>    Method-Id  = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",Type-Code,64)
>>    Session-Id = Type-Code || Method-Id
>>
>> All this is nice, but it might be too late.  I'd check with major implementations which have frozen their code, and are shipping.
>>
>> It would be good for the spec and implementations to match.
>>
>>
>> Section 2.3 says:
>>
>>   By using the TLS exporter, EAP-TLS can use any TLS 1.3 implementation
>>   without having to extract the Master Secret, ClientHello.random, and
>>   ServerHello.random in a non-standard way.
>>
>> NIT: the exporters were first defined in TLS 1.2, and have been widely
>> available in TLS library implementations.  Using master secret,
>> etc. has not been necessary for a while.  Further, the "non-standard"
>> use of Master Secret, etc. was first done in the original EAP-TLS RFC
>> [2716], in 1999.  The TLS WG later defined and standardized the
>> exporters in order to meet the needs of EAP-TLS.
>>
>> Perhaps instead say:
>>
>>   By using the TLS exporter, EAP-TLS can use any TLS 1.3 implementation
>>   which provides a public API for the exporter.  There has been no need
>>   to access internal fields in TLS since the public exporters were
>>   defined in [RFC5705].
>>
>>
>> Section 2.4 says:
>>
>>    While EAP-TLS does not protect any application data except for the
>>    Commitment Message, the negotiated cipher suites and algorithms MAY
>>    be used to secure data as done in other TLS-based EAP methods.
>>
>> Comment: This appears to be the only reference to the commitment message in the document.  It may be good to update Section 2.5 to use the same name for the 0x00 byte of application data.
> Unaddressed without any comment or discussion:
>
>> Section 5.1 says:
>>
>>   [4] Cryptographic Negotiation: TLS 1.3 increases the number of
>>   cryptographic parameters that are negotiated in the handshake.  When
>>   EAP-TLS is used with TLS 1.3, EAP-TLS inherits the cryptographic
>>   negotiation of AEAD algorithm, HKDF hash algorithm, key exchange
>>   groups, and signature algorithm, see Section 4.1.1 of [RFC8446].
>>
>> Question: what does this mean in practice for EAP-TLS?  i.e. this text
>> describes a capability.  It does not describe what that capability
>> does, or how it benefits EAP-TLS.
This is what RFC5216 said "EAP-TLS inherits the secure ciphersuite 
negotiation features of TLS, including key derivation function 
negotiation when utilized with TLS v1.2 ". Do you have some suggestion 
on what we should add?
>>
>>
>> Section 5.2 says:
>>
>> No updates to section 5.2 of [RFC5216].
>>
>> This isn't true.  Section 2.2 has substantial new text with new requirements, and new security impacts.
>>
>>
>> Section 5.3 says:
>>
>>    While certificates may have long validity periods,
>>
>> Comment: Certs issued by public CAs are generally short-lived, as in a year or so.  It may be worth discussing this.
>>
>>
>> Section 5.4 says:
>>
>>    Some deployments may permit no peer authentication for some or all
>>    connections.  When peer authentication is not used, implementations
>>    MUST take care to limit network access appropriately for
>>    unauthenticated peers
>>
>> Q: Are these EAP server implementations?  How does an EAP server limit network access for unauthenticated peers?

Fixed in github version.

Could you also highlight if there are some unaddressed comments. It 
wasn't obvious if "Unaddressed without any comment or discussion:" 
refers only to the discussion immediately below or to several 
discussions below.

--Mohit

>>
>> Section 5.7 says:
>>
>>   There are a number of security issues related to resumption that are
>>   not described in [RFC5216].  The problems, guidelines, and
>>   requirements in this section therefore applies to all version of TLS.
>>
>> NIT: These requirements are for EAP-TLS, and not TLS.  This document does not apply new security requirements to the TLS protocol
>>
>> Perhaps instead:
>>
>>   There are a number of security issues related to resumption that are
>>   not described in [RFC5216].  The problems, guidelines, and
>>   requirements in this section therefore applies EAP-TLS when is used
>>   with any version of TLS.
>>
>>
>> Section 5.7 says:
>>
>>    If the EAP-TLS server or EAP client do not apply any authorization
>>    policies,
>>
>> NIT: EAP-TLS servers do not apply authorization policies.  Perhaps explain that the EAP-TLS server is co-located with RADIUS / Diameter etc, and those apply policies.
>>
>> NIT2: It's not clear how an EAP client would apply authorization policies.  Perhaps just remove the reference to the EAP client.
>>
>>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu