IETF Logo Mail Archive

Re: [Emu] Late WGLC Comment on draft-ietf-emu-eap-tls13

Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 11 March 2020 08:48 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 289973A1505 for <emu@ietfa.amsl.com>; Wed, 11 Mar 2020 01:48:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMAriIGDiLP0 for <emu@ietfa.amsl.com>; Wed, 11 Mar 2020 01:48:32 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00082.outbound.protection.outlook.com [40.107.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC0B3A14FA for <emu@ietf.org>; Wed, 11 Mar 2020 01:48:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F/d0ldTsJz82Kx1iAKOgQw9LPfvX7/EJg4HYqof8COZpqGoF974E4fkZolKK0o39bZuI3jQPP5c8exYw6WzaGIN2ZHDl4RdHYBNoU7GokGng/L62WsKAqdubDWTFtPTYhDejY03IqP8eIH5dX+laNdPnIhrmYtzZznYGYEwJmMFlEKDvdpqJ0/Ho0huQuygGdR2stI0PlBHJCWFmt1BKYJokjo96idbiO0XwO/1Q3gcTghvM9uZjIwKyZI75iQVh5VoKrv1+QaXyJWoD3PiueIa0faM0iT4q6g2T5CB0uJG6zZapaNzu+idvWTSEbQOAVS+qFrbwd7+sdyTgdOt7+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=gDkHLRaoJ71V+zCBvzDPdFo3XtHEvh8KIqvGlFleOMI=; b=SHDCSDGVsGuc4t8QVuOW6vjftTMK7Dm0XDKx9kT8KBHueZNH+tfCnfNPInIJqMvr+N1cMumIfC6b6ZlctkGJtiDRe7LG0MnrwWnBGxY2UFJaiVhrtDdCVvJq8Zbk5nVR8C5JCzJJOSVGOXS/RIh8LaqrB/ZOylhyDmbIK6eUCubiIo29A5xAK1xVfXmM5+2D1qrylBKolSkEF+1P7L12/Qp0zgsN3kFRH3FOuf50aGoPplSxGuMeYZT3YRhP1q/H3CI8SHK/3cFAeGFFBJgH7LdeoN/DUKpr5TE91kWIFM2trq1/WUGgD+RBOjeGg4rI5XQk3mcz+wzdn1JlUGqwcw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=gDkHLRaoJ71V+zCBvzDPdFo3XtHEvh8KIqvGlFleOMI=; b=FHKdYehzhpsYGp29wpg49DCQVvomIyv9j76J3PNFAe8LXzieT8k4b0nsmdbQeRhakbL9qHDvxKiw7krD58n9/8pWAoUxGPF6NKiJRP2EJ5eEMruBqSJUkYrU0UzFABFHobDQKhBn29XEd/jh7WbHfd5qslgneYWLBtmEoxHi1Gg=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2571.eurprd07.prod.outlook.com (10.168.189.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.10; Wed, 11 Mar 2020 08:48:29 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::3454:e504:3d25:aff1]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::3454:e504:3d25:aff1%5]) with mapi id 15.20.2814.007; Wed, 11 Mar 2020 08:48:29 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Mohit Sethi M <mohit.m.sethi@ericsson.com>
CC: EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Late WGLC Comment on draft-ietf-emu-eap-tls13
Thread-Index: AQHV9vsG5NtNOajZtUiXhfAHNRf4a6hCGgyAgADueYCAAA0ugA==
Date: Wed, 11 Mar 2020 08:48:29 +0000
Message-ID: <3e688ca5-aea8-f8ca-f58c-98f58eaadf59@ericsson.com>
References: <MN2PR11MB39011F2754371931D1CFF0CCDB780@MN2PR11MB3901.namprd11.prod.outlook.com> <FC4CD2F5-B5E2-4FFB-B81F-A67DC55CD24E@deployingradius.com> <3113156B-EB01-4BBA-B51A-38883656E457@vigilsec.com> <89644402-9B35-401A-92E1-062962B69BC0@ericsson.com> <54BA1048-104B-4CB6-8CF6-D23F463BE382@vigilsec.com> <7f5af3b2-8218-5e4a-d56f-605ab326f55d@ericsson.com> <C3634494-7D3F-49AC-8796-4B1E03FC3B75@vigilsec.com> <88D20B98-179F-4B28-B758-1D7459F3BED1@ericsson.com>
In-Reply-To: <88D20B98-179F-4B28-B758-1D7459F3BED1@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [2001:14bb:180:17b0:4507:547b:be4:5621]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3b6c5537-ea65-40c6-f336-08d7c598f89e
x-ms-traffictypediagnostic: HE1PR0701MB2571:|HE1PR0701MB2571:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0701MB257130D5A296409D07C48662D0FC0@HE1PR0701MB2571.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0339F89554
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(39860400002)(376002)(366004)(346002)(396003)(199004)(36756003)(31696002)(6512007)(966005)(4326008)(6506007)(2906002)(86362001)(478600001)(81156014)(31686004)(8676002)(76116006)(66556008)(53546011)(66446008)(64756008)(8936002)(66476007)(81166006)(2616005)(66946007)(5660300002)(71200400001)(316002)(186003)(110136005)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2571; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eE7SMY6lRi+d2Vx94OokiMSJ4y7rLvNjZTVG02g6vKKgiVUcGC3WBk9RVwLebB1Od5PEz1Fx2jKCEEDxefgrm+N3UxOgmPcEi/YySYR5Rg7/rOCe99nW4Sq9IMixbYNdAWzaSN6RWK2r2eC3upwx5Zvs5SYEMrOXSTBA1cgGZDIfLBdwu1ZQNxjNd7DWQTez62N1BrBk3MbILb2jxdKMiZMT+NqnMjqDhPiMbwtWteskq8obz7W8WaZ/TN8ijv/DfOyPQ+BK/iUkIxowPRyS28uF52bYcRDZEzYokD5iXWuwxZfBvsgErJvok9umLRn0N5uxO2a/TTHOx4RrF7MtnBr1bk2fW+ZerQKDH/AkVc78un4iOInOdqmUz/Ccd4HM/DSjco/jmduh9wbIlYvydu21AzKnaZvfU9zQjVjqEGvb33e3gDHgy5x+iMWe/WXd3p0j7iBBa7bJRBN4GAPV5r7yAfukXBUwMrMQcVi1O40xIXXdofgKfRrQOG4bsrt2jWZJl6F4Wk+F4/YArhGNyA==
x-ms-exchange-antispam-messagedata: L8exn83mzovYV0tPzsMABH4wMFsIKeQHN46eLGqFQ/tccYgUY9gTRHDnWqPaO1EIQWSx4aXVXoAt28EkAV5RKY/I4S9/Bkri5/shbIEPWna1+HsYyjykUT1KxMjettqCMc3qoFgzvpqD8wQTzh5lrqhKrhTg6fFUL/yos4fMvzaGOrRzTh8+wDxgnDgVDZPPpoOMNNleoiJ97YxLJoNqSA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <210CEDE1E7EA1A44855CEE24AC59515F@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b6c5537-ea65-40c6-f336-08d7c598f89e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2020 08:48:29.2192 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: S4dE8IpSfQHdcQz/5TjHjpSu1GQInrkD/ZKEbIEpW5TM8GCakJb3muGcj3VV/o4Ykcc0H9AdI2pXS17RMkF4Y7VxvFndHwyV2BZ5KEt4z+I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2571
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/6E63_n9apPT4omD3AwVm5Jo7LIY>
Subject: Re: [Emu] Late WGLC Comment on draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 08:48:34 -0000

Hi John,

I understand your concern of EAP restricting TLS authentication methods. 
However, it is not unusual for other groups to define profiles of a 
protocol they rely on.

If someone's IoT device wants only EAP-TLS-PSK and nothing else, then I 
believe we should enable that. I agree with you that a separate document 
and type code for each TLS authentication method is not ideal either. We 
could do something like EAP-TLS-FULL as you suggest (as long as 
developers can pick and choose only relevant TLS authentication method). 
Also, we are not yet running out of the type code (and expanded type 
code) space for now. If others are interested in defining some 
EAP-TLS-foo method later on, they have the liberty to do that.

--Mohit

On 3/11/20 10:01 AM, John Mattsson wrote:
> Hi,
>
> Russ Housley wrote:
>   >> I do not understand the reason for Bernard's objection.  I looked at the minutes, and I do not find any rationale there.  Can you help?
>
> If I remember correctly, Bernard stated that the indroduction of PSK could weaken the implementation and violate the security proofs of EAP-TLS. I don't really agree with Bernard, but I am fine with resticting the type code 0x0D to certificates only. I am not sure any proofs with TLS 1.1 would apply to TLS 1.3 anyway as TLS 1.3 is basically a new protocol, reusing encoding and IANA registers from the old version.
>
> Given that the EAP-TLS Type-Code 0x0D is decicated to Certificates, I am not sure the approach to dedicate a new type code for PSK authentication is the correct choice.
>
> psk_ke
> psk_dhe_ke
> tls_cert_with_extern_psk+psk_dhe_ke
>
> are just three of many authentication methods that may not fit in type code 0x0D. Earlier versions of TLS have supported many more authentication methods
>
> KRB5
> anon
> SRP
> ECCPWD
>
> And just looking at the TLS WG documents, there are several future authentication methods for TLS 1.3 likely in the future.
>
> https://datatracker.ietf.org/doc/draft-wang-tls-raw-public-key-with-ibc/
> https://datatracker.ietf.org/doc/draft-tschofenig-tls-cwt/
> https://datatracker.ietf.org/doc/draft-vanrein-tls-kdh/
>
> I do not think the EAP group should forbid any TLS 1.3 authentication method unless there is valid reasons to do so. Instead of the current suggestion:
>
> 0x0D     EAP-TLS (cert and nothing else)
> 0xTBD    EAP-TLS-PSK (psk and psk+something else)
>
> I think a better way to structure things would be:
>
> 0x0D     EAP-TLS (cert and nothing else)
> 0xTBD    EAP-TLS-FULL (everything that TLS 1.3 supports)
>
> I sympatise with earlier comments in the group that EAP should mostly be a transport for TLS and that the decisions of which authentication methods to support should be taken by the TLS WG.
>
> Cheers,
> John
>
> -----Original Message-----
> From: Russ Housley <housley@vigilsec.com>
> Date: Tuesday, 10 March 2020 at 18:48
> To: Mohit Sethi M <mohit.m.sethi@ericsson.com>
> Cc: John Mattsson <john.mattsson@ericsson.com>, EMU WG <emu@ietf.org>
> Subject: Re: [Emu] Late WGLC Comment on draft-ietf-emu-eap-tls13
>
>      Thanks for the pointer.
>      
>      I am fine with the proposed way forward.
>      
>      Russ
>      
>      
>      > On Mar 10, 2020, at 12:43 PM, Mohit Sethi M <mohit.m.sethi@ericsson.com> wrote:
>      >
>      > Hi Russ,
>      >
>      > You can listen here: https://youtu.be/YJLG4JUftqI?t=1144
>      >
>      > We plan to support it in EAP-TLS-PSK instead:
>      > https://tools.ietf.org/html/draft-mattsson-emu-eap-tls-psk-00. We have
>      > already added a reference to draft-ietf-tls-tls13-cert-with-extern-psk
>      > and plan to use it. I think using an external PSK any ways requires
>      > ironing out some issues like what is the relationship between NAI and
>      > the PSK identity? And do we allow user-configured PSK identities/PSKs etc.?
>      >
>      > Would it be reasonable if we specify the usage of
>      > draft-ietf-tls-tls13-cert-with-extern-psk in EAP-TLS-PSK instead?
>      >
>      > --Mohit
>      >
>      > On 3/10/20 6:30 PM, Russ Housley wrote:
>      >> I do not understand the reason for Bernard's objection.  I looked at the minutes, and I do not find any rationale there.  Can you help?
>      >>
>      >> Russ
>      >>
>      >>
>      >>> On Mar 9, 2020, at 5:59 AM, John Mattsson <john.mattsson@ericsson.com> wrote:
>      >>>
>      >>> Hi Russ,
>      >>>
>      >>> Sorry for the late reply. I actually brought up your draft [ID-ietf-tls-tls13-cert-with-extern-psk] during my EMU presentation at IETF 106 as something that should probably be in EAP-TLS. Bernard Aboba then expressed a very strong opinion that [ID-ietf-tls-tls13-cert-with-extern-psk] should absolutely not be included in the EAP-TLS Type-Code 0x0D. After this the WG decided as a way forward to specify EAP-TLS with PSK authentication in a new draft.
>      >>>
>      >>> Given these strong opinions from Bernard Aboba, and the wish to publish draft-ietf-emu-eap-tls13 soon. I think the best way forward would be specify the use of [ID-ietf-tls-tls13-cert-with-extern-psk] in the same new draft as EAP-TLS with PSK authentication. Does that sound like an acceptable way forward?
>      >>>
>      >>> Cheers,
>      >>> John
>      >>>
>      >>> -----Original Message-----
>      >>> From: Russ Housley <housley@vigilsec.com>
>      >>> Date: Monday, 13 January 2020 at 18:29
>      >>> To: John Mattsson <john.mattsson@ericsson.com>
>      >>> Cc: EMU WG <emu@ietf.org>
>      >>> Subject: Late WGLC Comment on draft-ietf-emu-eap-tls13
>      >>>
>      >>>    John:
>      >>>
>      >>>    Section 2.1.1 says:
>      >>>
>      >>>       Pre-Shared Key (PSK) authentication SHALL NOT be used except
>      >>>       for resumption.
>      >>>
>      >>>    I would rather this say:
>      >>>
>      >>>       Pre-Shared Key (PSK) authentication SHALL NOT be used except
>      >>>       for resumption or in conjunction with the "tls_cert_with_extern_psk"
>      >>>       extension [ID-ietf-tls-tls13-cert-with-extern-psk].
>      >>>
>      >>>    Russ
>      >>>
>      >>>
>      >>>
>      >> _______________________________________________
>      >> Emu mailing list
>      >> Emu@ietf.org
>      >> https://www.ietf.org/mailman/listinfo/emu
>      
>      
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email