[Emu] AD review on draft-ietf-emu-eap-tls13-18
Roman Danyliw <rdd@cert.org> Thu, 29 July 2021 15:39 UTC
Return-Path: <rdd@cert.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF97D3A0688 for <emu@ietfa.amsl.com>; Thu, 29 Jul 2021 08:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YrQmeGBlhhXR for <emu@ietfa.amsl.com>; Thu, 29 Jul 2021 08:39:14 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0093.outbound.protection.office365.us [23.103.209.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C820E3A0653 for <emu@ietf.org>; Thu, 29 Jul 2021 08:39:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=YG5fX5qv1PYs/fWDfxgcXfbVBlRditClqiQVUvehYvMgM9oyOOcihs793GVPCmgpdK3TMlVneer9Ox+LkDXDFqRcbRe5SsWgs8O0bM05APmvDcnbX8jjef4laJn3/Kba6UAxfF13XjcQbGKjBYCwPM41VjoTPwFMKLHM2ZrQonKWYuY7hU8lj3XKlNIhG+emzqTcZHOM9MFutY66k2m+KXHHCJfzgH9HtjYi1nNj5izNj1v3hGy3dXV0otkRATgJf5i9lyU0dqNozibNe+JicyLSFLNMCakhRa9m/lvVz7o3Kn1IGHsgc8Xmo8vGApDe1x08nvZ11Egpf9H9LrF5gQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xgbQimeRoegUxBs729DRjXqjoI+vuPfYVOcx8xX/ElA=; b=HLMN/U5p3ezN3xxYby1jNU7/GzuRjsQkmCivhYY5ipONQuMxjEjOlcPaq4IBY47rLCm67ctfsuuvnQ1lu25S8GR6iUJBioXpm26uGiBUSKhzkG52AE5eS7DHh37rG/eSzv8M7+Wa2p4eV7KBIXzTmRsNXiDvMeC4BVn17y0YEpSPkUXfkOZNhYTjXooU3vtyXirC+u1Cmq6ojRxg0LsGSzC9l9vkeAzLdmS705GG/TErxMQrrn8kbruKLZJ51qNmoPJrNOcOHqaHbdXnNEzIM9HP47eHfSNmcPez9VK/8a+zYGHguCoiOIfYn3QvM7RciCP6GF5gvUCaKV5JiPH66A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xgbQimeRoegUxBs729DRjXqjoI+vuPfYVOcx8xX/ElA=; b=DlZIgquHs5iu41aej1xdx3Lz2IsffvteRH4HYXoaBkSi+K6qHqm1IjG/xuZkR5uyCJqMPaIcenWodPCArUKoGbxATvv+4wCnVbpLE2K9kC3/U5V62ccJcJkTXIcEcD7xrk/KlbjHQwKL7ivLSKtqqU+QxfwGptAMEYaeHFqdyj4=
Received: from DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:414::9) by DM3P110MB0474.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:413::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.29; Thu, 29 Jul 2021 15:39:12 +0000
Received: from DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM ([fe80::8156:6fdb:538a:7d36]) by DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM ([fe80::8156:6fdb:538a:7d36%5]) with mapi id 15.20.4352.032; Thu, 29 Jul 2021 15:39:12 +0000
From: Roman Danyliw <rdd@cert.org>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: AD review on draft-ietf-emu-eap-tls13-18
Thread-Index: AdeEj3iviqLC98tcQaaflB3pW9ffPA==
Date: Thu, 29 Jul 2021 15:39:12 +0000
Message-ID: <DM3P110MB0538A63600EF6BF9A6AAEBCADCEB9@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-originating-ip: [71.112.171.248]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b73bc70-3a67-4642-34b8-08d952a703e1
x-ms-traffictypediagnostic: DM3P110MB0474:
x-microsoft-antispam-prvs: <DM3P110MB0474A92B15DF51039C697791DCEB9@DM3P110MB0474.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DW6eVbsgI6VFzpB1QA+2+xpc+Kz5uEOZ12yeWTHmtjkAlwIDKUqw9JZ8YnEDsveiCWGX9UzdCu9Kbpxj+tKR7qj8huPT81sHZ7mmPhVcmqsKoE7aOe12HHpD1sr9RliyFk6+82dChjyd5tuzWTLu3n7PKHsVZZLisrx5z5MwSxi96e9oE8CcWqYXWqVZOIy5HdO5Ei9Q7pmiYPmp8Stcvk9yT2AphXk3GFVRgNM5jrxMITLzkVUzYwZQOK4dIBagpZvo2mPObddOHaDTeOCXq2LY+ZaX/nmJUdmAl8qY063k0y0W7ejxaRqSWZcM+tyiOKUmsRJHdiFabBrv4i1x+AxrzDdvaUottCqcbM2Q3ql1+UVWcBw9So0VVLc41YCnO8HpNCLQQK73t3dEW6uUORBlc977ujgAOds+25n41D6Sft1Pj7uir7+Miy7FV6ngYgwAOdeB2pTLnIcW7Y/loa+PZ9pga+aBjWV3xKv+yb5rS04I/LVn2+QKLF/p7d+TVkDZfAiDiLHDJW2AyCyF1swmK+hYWhbhROJqUIcZibTLfBJ7n+M2nX1UtpuF+YwPQinab4P8cbuOO8+oQZYTrf0AA2I709f8zi19rAyCtTtFJV8ppgsiKJyFB5Ew/mH+dFaUeo6dpb4926i+xM10Cw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(396003)(346002)(39840400004)(136003)(376002)(26005)(7696005)(52536014)(55016002)(38070700005)(38100700002)(66946007)(8936002)(5660300002)(33656002)(83380400001)(86362001)(186003)(6506007)(122000001)(9686003)(8676002)(2906002)(6916009)(71200400001)(66446008)(66556008)(316002)(478600001)(64756008)(76116006)(66476007)(21314003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZTklsB7lCbEe8CFZVgqCgKHgCDbEEsWGsqERJbzhatsupj4ASzEAyIg2Aj8ufyyt1MFGQtlH3QsM2YDQBR3FWgP0aeAgvP2ftOaGwinYsKQIFQtrYYnyqh2uLHAt9qYpH9cm/U54tAS5sMxVJjxaFmHnrliYTEpqfWK/qOnrqH22uYKIBeExGVWdsAzYbp3HqU5vcW+ZNAKBYWqXI9+BVzP3cx3e2/OovwqYpW1X1h9yIsS1MnrM0vkLuXe94W6Pvnw8z8v2o9lnv8qANzDEMnX1mXI6yz9Moq5hf1i7xaESDEV9V5tzmwnE5WxwflWZPHd/x2thDvxh0qYCF0lc2vn1jHXUYR2ZcRtwyYO0TybSsONtk4pi81m/pBplnChpEdb/wOAAwKnaPWQcWQV/fPduzQuw0r1jDzuptdccyeVVqmiLb3DGwj19Es5x1f+0opk0Vit+GbcpuAaGLfRTHA7x8RE3yGiu1bJTz9nKgvEwE9bSElXSDz05GSgvzx3IEgP7xfNknJJ1bBXc6xQKj2L+llnzztwDMkX9L7mZ9V/5mdZCQHL4Ge2CYglBCJtnEgRpF4A8A2Mj9H6ADd0GrdJLutQqx5AfrqX1DKkTh0X0lXp1SrFfMYzpGLYInkj5xqe50pcIsaBREmmqmQ/oJ86rIQHB0eomMjvn8CKjb35oVKBjyBT+kb68UUXEy5pTJbJkA596YRVMa3x7F7/Dmd8UKiy4Wvgu6B+y4hDB5Ls=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b73bc70-3a67-4642-34b8-08d952a703e1
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2021 15:39:12.7002 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0474
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/CL9Bq9yYk82EQElbSBD_an0_rEs>
Subject: [Emu] AD review on draft-ietf-emu-eap-tls13-18
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 15:39:21 -0000
Hi!
I performed a second AD review on draft-ietf-emu-eap-tls13. This time on -18. Thank you to the authors, the responsible co-chair, and the WG for all of the work to redesign the -13 protocol in response to the initial IESG review in December 2020. My review feedback consists of my own minimal additional comments and highlights of where previously stated IESG ballot items do not appear to be responded to or addressed. All items appear to be minor.
** Section 2.4. Previously, this text referenced TLS 1.3 or higher necessitating more ambiguous reference to version numbers. However, now the text only notes TLS 1.3.
OLD
When EAP-TLS is used with TLS version 1.3, the EAP-TLS peers and EAP-
TLS servers MUST comply with the compliance requirements (mandatory-
to-implement cipher suites, signature algorithms, key exchange
algorithms, extensions, etc.) for the TLS version used. For TLS 1.3
the compliance requirements are defined in Section 9 of [RFC8446].
NEW
When EAP-TLS is used with TLS version 1.3, the EAP-TLS peers and EAP-TLS servers MUST comply with the compliance requirements (mandatory-
to-implement cipher suites, signature algorithms, key exchange algorithms, extensions, etc.) defined in Section 9 of [RFC8446].
==[ COMMENT (Ben Kaduk)
Section 2.1.4
The two paragraphs below replaces the corresponding paragraphs in
Section 2.1.3 of [RFC5216] when EAP-TLS is used with TLS 1.3 or
higher. The other paragraphs in Section 2.1.3 of [RFC5216] still
apply with the exception that SessionID is deprecated.
If the EAP-TLS peer authenticates successfully, the EAP-TLS server
MUST send an EAP-Request packet with EAP-Type=EAP-TLS containing
TLS records conforming to the version of TLS used. The message
flow ends with the EAP-TLS server sending an EAP-Success message.
If the EAP-TLS server authenticates successfully, the EAP-TLS peer
MUST send an EAP-Response message with EAP-Type=EAP-TLS containing
TLS records conforming to the version of TLS used.
Just to walk through the various scenarios here; if the last message of
the TLS handshake for a given TLS version is sent by the TLS client, that
will go in an EAP-Response, so the server is then able to send
EAP-Success directly. On the other hand, if the last TLS handshake
message is sent by the server, that will have to go in an EAP-TLS
EAP-Request, and so the peer will have to send an empty EAP-TLS response
in order for the server to be able to wend EAP-Success? Do we need to
have any text here to handle that empty EAP-TLS Eap-Request case?
==[ COMMENT(Alvaro Retana) Is the intention of the Appendix to provide additional formal updates to rfc5216? That is what it looks like to me, but there's no reference to it from the main text. Please either reference the Appendix when talking about some of the other updates (if appropriate) or specifically include the text somewhere more prominent.
[Roman] As proposed above, please provide some forward reference.
==[ COMMENT (Éric Vyncke) I find "This section updates Section 2.1.1 of [RFC5216]." a little ambiguous as it the 'updated section' is not identified clearly. I.e., as the sections in RFC 5216 are not too long, why not simply providing whole new sections ?
[Roman] I'd propose a simple fix by using (approximate phrases such as) either:
This section updates Section xxx of [RFC5216] by amending it with the following text. (for the cases where the intent is to keep the existing text in rfc5216 but add this new text)
This section updates Section xxx of [RFC5216] by replacing it with the following text. (for the cases where the intent is to replace an entire section in rfc5216)
==[ COMMENT (Éric Vyncke) None of us are native English speaker, but "e.g." as "i.e." are usually followed by a comma while "but" has usually no comma before ;-)
[Roman] A simple s/e.g./e.g.,/ and s/i.e./i.e.,/ would catch this.
Regards,
Roman
- [Emu] AD review on draft-ietf-emu-eap-tls13-18 Roman Danyliw