Re: [Emu] I-D Action: draft-ietf-emu-eaptlscert-02.txt
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 16 March 2020 16:58 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82CF43A0D37 for <emu@ietfa.amsl.com>; Mon, 16 Mar 2020 09:58:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8CYQJHRrY7rS for <emu@ietfa.amsl.com>; Mon, 16 Mar 2020 09:57:59 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C52513A0D3F for <emu@ietf.org>; Mon, 16 Mar 2020 09:57:57 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3A49038980 for <emu@ietf.org>; Mon, 16 Mar 2020 12:56:34 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2967D54E for <emu@ietf.org>; Mon, 16 Mar 2020 12:57:51 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: emu@ietf.org
In-Reply-To: <158434433832.23445.928492102001107664@ietfa.amsl.com>
References: <158434433832.23445.928492102001107664@ietfa.amsl.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 16 Mar 2020 12:57:51 -0400
Message-ID: <9501.1584377871@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/6YilrM3tCVPqOEBMZhrXXZN5ows>
Subject: Re: [Emu] I-D Action: draft-ietf-emu-eaptlscert-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 16:58:04 -0000
Hi, I didn't know about this document, and I've just read it. Some questions: 1) "RADIUS can generally transport only about 4000 octets of EAP in a single message." Can you explain this? Radius over UDP would have fragment a 4000 octet message, so why is the number 4000? That's three fragments. Is the loss amount beyond this too high? Or is it that common implementations just don't support larger sizes? RFC6613 radius over TCP would not seem to have that limitation, but I won't be surprised if it is less common. I've certainly used it as it solves the the NAT and Radius key problem. (Alan?) 2) the problem appears is documented to occur at 60Kbyte chain size. With 6 intermediate certificates in the chain, that provides for 10KByte for each certificate, which seems rather generous to me. I am not objecting to solving the problem as stated, but I want to understand what the goals really are. The advice in section 4.1 is good. Are full postal addresses in intermediate CAs really the culprit here? 3) section 4.2.2, about caching certificates from a previous TLS session is interesting. I'm unfamiliar with rfc7924, does it use a session resumption ticket, or will any previous connection do? (It seems that a session resumption process is not required?) This might provide motivation Alan's question about why/how one might resume an HTTPS TLS session over EAP-TLS. I was surprised to get to the end of the document without any suggestions about sending certificates by reference rather than value. This is the method that we have adopted on draft-selander-ace-ake-authz. We considered using the mathmesh UDF mechanism, but found a way that could instead send only the location while actually encrypting the ID as a privacy enhancement. I don't think such a thing would be desireable, and TLS 1.3 provides other equivalent privacy enhancements, but I want to suggest you consider a new certificate container which contains a reference. IKEv2 already has that. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Emu] I-D Action: draft-ietf-emu-eaptlscert-02.txt internet-drafts
- Re: [Emu] I-D Action: draft-ietf-emu-eaptlscert-0… Michael Richardson
- Re: [Emu] I-D Action: draft-ietf-emu-eaptlscert-0… Alan DeKok