IETF Logo Mail Archive

Re: [Emu] RFC7170bis and lack of identities

Alan DeKok <aland@deployingradius.com> Tue, 07 February 2023 14:35 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17FA3C1575C7 for <emu@ietfa.amsl.com>; Tue, 7 Feb 2023 06:35:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LoauAC2FsOa3 for <emu@ietfa.amsl.com>; Tue, 7 Feb 2023 06:35:02 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C621DC1526ED for <emu@ietf.org>; Tue, 7 Feb 2023 06:35:01 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id D061A382; Tue, 7 Feb 2023 14:34:56 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOgPGoBmKQZde=dEmJjD-BMJSyGJ2jiotDSEOtGWQ4RkNNnU6g@mail.gmail.com>
Date: Tue, 07 Feb 2023 09:34:55 -0500
Cc: Alexander Clouter <alex+ietf@coremem.com>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8068D186-CA40-423A-8E0C-7E32708ABE0E@deployingradius.com>
References: <972E80E4-CB18-4154-A407-5BC04D2677FE@deployingradius.com> <45426003-4eb9-9c31-d66b-3d2b51896bcb@lear.ch> <FFFD2F98-2E7F-4603-9B85-E6C80ACE0799@deployingradius.com> <1165a702-ee9e-4269-8af1-0406eb798de0@app.fastmail.com> <E7F39732-D012-4D2A-A34F-44965763C808@deployingradius.com> <CAOgPGoBmKQZde=dEmJjD-BMJSyGJ2jiotDSEOtGWQ4RkNNnU6g@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/8HRx4rj06yUxWRxaIndIgw35C0E>
Subject: Re: [Emu] RFC7170bis and lack of identities
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 14:35:05 -0000

On Feb 7, 2023, at 1:04 AM, Joseph Salowey <joe@salowey.net> wrote:
> [Joe]  The intent here was that the client authenticated using a certificate during the TLS handshake and that the server viewed this as sufficient to meet the authentication requirements, but the client requires another method to be executed so it uses the request action frame to start up a new exchange.   Example C4 shows TLS client authentication with renegotiation, but it seems a bit weird to me in that it is client initiated in response to a server EAP-IDentity Request.  
> 
> Did you find out if any of this is supported? 

  We support authentication via client certs for all TLS-based EAP methods.  However, that isn't currently tied into TEAP.

  i.e. the client can send a cert, and the TEAP server will check it.  But that won't affect the protocol exchange in phase 2.

  I think that's easy to change in the code, and it's worth leaving in the document.  Especially as TLS 1.3 hides the client certificate information.  And draft-ietf-emu-tls-eap-types allows the use of client certs with TEAP for TLS 1.3, too.

  And just comparing the "tls-eap-types" document to this one, this one is missing discussion about client certs sent in phase 1.  i.e.

* client certs MUST include Identity-Type as an outer TLV, in order to signal the type of identity which that client certificate is for.

* if there's a client cert, then something MUST happen in phase 2, otherwise TEAP devolves to EAP-TLS.

  I'll add some text.

> [Joe] Although this seems OK, I'd rather be removing things than adding things. I think we should make sure that the working group wants this.  

  I agree.  I do think that this is one of those "here be dragons" issues.  Where people decide one way because of lack of information about the "correct" way to do it.  And then later realize the decision should have gone the other way.

  I think the only way to side-step this issue is to realize that the lack of an Identity-Hint TLV means TEAP deployments will be limited to either password, OR EAP authentication in phase 2, but not both in the same system.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email