[Emu] Final 2 notes on draft-ietf-emu-tls-eap-types-03.txt
Alan DeKok <aland@deployingradius.com> Wed, 23 March 2022 17:02 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1D03A067B for <emu@ietfa.amsl.com>; Wed, 23 Mar 2022 10:02:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UjO9WJ_npDdn for <emu@ietfa.amsl.com>; Wed, 23 Mar 2022 10:02:27 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442413A058F for <emu@ietf.org>; Wed, 23 Mar 2022 10:02:26 -0700 (PDT)
Received: from smtpclient.apple (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 4EBED43F for <emu@ietf.org>; Wed, 23 Mar 2022 17:02:23 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Message-Id: <94E5D599-C68A-466F-8186-BEF9D8BA914A@deployingradius.com>
Date: Wed, 23 Mar 2022 13:02:22 -0400
To: EMU WG <emu@ietf.org>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/6C5q6eKqnyA3Ihd19RxFydh8uog>
Subject: [Emu] Final 2 notes on draft-ietf-emu-tls-eap-types-03.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 17:02:30 -0000
1) RC 5281 allows for the use of client certificates only, and skipping all "inner" authentication. I don't know of any RADIUS server or supplicant which supports this. It may be theoretically possible, but it's not widely used. The current draft forbids this in Section 2.4.1. Because (a) it's not used, and (c) equivalent functionality exists in EAP-TLS 2) the draft should be updated to add a note that when a supplicant sends PAP/CHAP for phase 2 of TTLS, the expected responses are: EAP-Success EAP-Failure Ongoing TLS negotiation, with a resumption ticket. At least one implementation expects success/failure, and treats ongoing TLS negotiation as a failure. If we squint hard, we could view the resumption ticket as a "protected success indicator". So it might be worth adding that it's a good idea to send, even if the server has no intention of doing resumption. If there are no objections or comments, I'll update the draft with some text saying the above. I'll issue a new version next week. Alan DeKok.