IETF Logo Mail Archive

Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt

Heikki Vatiainen <hvn@radiatorsoftware.com> Tue, 05 March 2024 09:34 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DD7DC14F5FA for <emu@ietfa.amsl.com>; Tue, 5 Mar 2024 01:34:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eyEJLBiVFQa for <emu@ietfa.amsl.com>; Tue, 5 Mar 2024 01:34:08 -0800 (PST)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56BA0C14F5E5 for <emu@ietf.org>; Tue, 5 Mar 2024 01:34:08 -0800 (PST)
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40fd72f7125so39005065e9.1 for <emu@ietf.org>; Tue, 05 Mar 2024 01:34:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1709631246; x=1710236046; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=L1m2TXGY6K4lGFqvQIXVXWu+UmfKJZO0zh1XrV73dj8=; b=Q/eyA1cpNV2zASBd6/ycNS7PJoJCpATfD5vfsHmksIrGWLvbvmDH3g4Gep8P8Xr8h2 89740ANwHroZ0Bua+i+TV//nOwX21q8PXJohjEKvXAegyb2gS5vf4d3rxC1H9+E/LmE3 7DqviRGyok0eCyP0cRkK9TBX4pMq3VdnB4yIsst6JNJ+S+5rxwaZACCBXVDMiGC0Pbs1 AyugbSpJ4PY3RqyCsYfInKDSIC5ZNvli3xe6Ue48Ce1um8oqfCc4BPsD3u5ivFX0vQ3W rSqdFIiMyA6bhcR53yjKIZl+kizwv0QVfZNPoVJ2J+cRFToaclGoHB8ZUVPD/0n+L9Tj x+lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709631246; x=1710236046; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=L1m2TXGY6K4lGFqvQIXVXWu+UmfKJZO0zh1XrV73dj8=; b=MKfztM9KAWrgOirNLYvVXkGSu6W8ZCw/v15Y4vnW7lt1/UzKhUZV2t25nsTaxnBDTY lPKUp/ZskrcathGTadEHGjfx3bBH0OsQH7/o2RK5Sznsn0/7N77cnc9Ojrwxn2iH7bCO tBUm1ilhuBxpcrQcji9eSR2W3lOjP0wGvOnvsQQce9F/poC6To3GwTttxS77RkpCVFD2 ZhqFlSziiMPa82sOBzmMEc9X+e49vHvQp4u+vZeBifX3IsuTV1N3mZ4oEjUePLlKFile 0thJmFmLJGXJiPqWlHA57HFGnzaaNjIiai1nRwafQBgEFd3/ceO35f+Z7Sy/0dIQcbLt tZNw==
X-Gm-Message-State: AOJu0Ywx12C/qsL3HQUlZqzFnYspFBGyYlYTgtksV2sl0U21szBN8Cx2 RhtEVaWmgS0czAtva9/tmV/nKvA4iTYR2NCN6OvbiEdz3WIkDieiwuA+Ercv/NIhF8DL2NI8apg FLFtVEwdmkG098rTqFguKSKOSGARppxnZplVW/v+ev2P3mCX2Eg==
X-Google-Smtp-Source: AGHT+IEpKb0/RAEe2edtvEs0IERc/mpS228Jpvy+GXigG68P1hRSlK8e6mb7BfwJtKDn200RUPeIa08Qf01sa9sWGkU=
X-Received: by 2002:a5d:6181:0:b0:33e:19ae:3716 with SMTP id j1-20020a5d6181000000b0033e19ae3716mr7179274wru.11.1709631246214; Tue, 05 Mar 2024 01:34:06 -0800 (PST)
MIME-Version: 1.0
References: <170932527085.22824.18343512124707075119@ietfa.amsl.com> <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de> <c2951f3d-bcc7-4b90-bcdd-077a506dd464@app.fastmail.com> <5e5f794d-a260-4fc4-b4c0-fbe13ed54691@dfn.de> <2A73CDC3-9D44-433B-8948-405917CA69F0@deployingradius.com> <bf52a9e3-bcf9-4e69-962d-42b6bb975142@app.fastmail.com>
In-Reply-To: <bf52a9e3-bcf9-4e69-962d-42b6bb975142@app.fastmail.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Tue, 05 Mar 2024 10:33:49 +0100
Message-ID: <CAA7Lko8diwXstKPKb1++tkS58xYFmoHTbR__ndz77-DkJ227ZA@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020c9940612e68bb1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/8ZbwPv4ause42vovezszN4OI1LA>
Subject: Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 09:34:12 -0000

On Tue, 5 Mar 2024 at 09:56, Alexander Clouter <alex+ietf@coremem.com>
wrote:


> Using an entire serialiser to support only a map carrying attributes with
> 1->3 *predetermined* keys seems a bit of a cannon to deal with a mosquito
> solution as they go. As a hypothetical, would people have a stronger
> opinion here if CBOR was swapped for protocol buffers or ASN.1 in the
> document?
>

Ok, I'll bite. I've worked recently with ASN.1 (hello GSM world) and found
it much easier to work than I initially though. I found the
interoperability of different MAP and TCAP (again GSM) implementations to
work well together. In other words, the software I made successfully talked
to other software from the beginning. This allowed the work to concentrate
on the software functionality instead of serialising bits on the line.

I'd say the main point is: use encoding that's appropriate for the task.
ASN.1 suits for 2G/3G complex things. Simple TLVs have so far worked well
with EAP.

I haven't worked with CBOR, but I'd be interested to know if, for example,
how careful we need to be with serialiser/deserialiser to avoid problems
similar to exponential expansions attacks [1], etc. TLVs are known for
people working on Radius/Diameter/EAP. With CBOR it would be useful if the
draft were to have information to avoid potential problems, especially if
the CBOR input can come from untrusted sources. I'm sure this information
is available, and it would help the implementers if they're notified about
what to look out for, if needed.

[1] https://en.wikipedia.org/wiki/Billion_laughs_attack

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email