IETF Logo Mail Archive

Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11

Alan DeKok <aland@deployingradius.com> Fri, 18 August 2023 13:31 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B07A6C15199B for <emu@ietfa.amsl.com>; Fri, 18 Aug 2023 06:31:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ye9cXAzZ-Fgb for <emu@ietfa.amsl.com>; Fri, 18 Aug 2023 06:31:24 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425D0C15108C for <emu@ietf.org>; Fri, 18 Aug 2023 06:31:23 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id D569C3F2; Fri, 18 Aug 2023 13:31:18 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CO1PR11MB48192C7F6F1D2A3CC79DED20C71BA@CO1PR11MB4819.namprd11.prod.outlook.com>
Date: Fri, 18 Aug 2023 09:31:17 -0400
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <02B75B33-E1FF-4EF7-8161-9E8E25824D06@deployingradius.com>
References: <01a201d9cef5$7e668e60$7b33ab20$@akayla.com> <10458.1692306165@localhost> <8211C3C2-B922-4CFF-BE11-5EDB9C22095B@deployingradius.com> <3790.1692316864@localhost> <CO1PR11MB48192C7F6F1D2A3CC79DED20C71BA@CO1PR11MB4819.namprd11.prod.outlook.com>
To: "Vadim Cargatser (vcargats)" <vcargats@cisco.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/9Mws4O0p0KfeNbaIzjbRKvW_XKM>
Subject: Re: [Emu] WGLC on draft-ietf-emu-rfc7170bis-11
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2023 13:31:25 -0000

On Aug 18, 2023, at 5:46 AM, Vadim Cargatser (vcargats) <vcargats@cisco.com> wrote:
> In TLS 1.2: the ticket is part of the handshake, so we cannot bind that with the successful inner authentication, correct?

  Yes.  However, RFC 9190 goes into detail about "don't send tickets until after authentication has completed".  Or "don't allow tickets to be used until after authentication has been completed".

  These are issues common to all TLS-based EAP types.  I'm not sure we need to call them out here.

> In TLS 1.3: that should be possible to issue a ticket after the handshake, so are we ok with such approach to perform inner methods resumption?

  I don't see why we would want to _allow_ inner method resumption.  What benefit does it bring over just using resumption on the outer TLS session?

> Is it worth explaining more on that in the document?

  I'll update it to ban inner method resumption.  I think that's the best approach.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email