Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Joseph Salowey <joe@salowey.net> Mon, 01 February 2021 18:30 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D15113A13A0 for <emu@ietfa.amsl.com>; Mon, 1 Feb 2021 10:30:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUtCRSe8U0np for <emu@ietfa.amsl.com>; Mon, 1 Feb 2021 10:30:58 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE01A3A1398 for <emu@ietf.org>; Mon, 1 Feb 2021 10:30:57 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id v15so17877279ljk.13 for <emu@ietf.org>; Mon, 01 Feb 2021 10:30:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qhSEZOTfMfTjLyRSA/+BS1JbfVw5d5vjqLjl7Qq7Ryc=; b=FqzfEoF10WJNAiLggJVHKvUSLIWQVEPJ7RgxiyOtg79ulhWUqcS0IxC4WQNSX+0/5J wy1eeavgWiyZ+Ap5/6smvmz0bdcfpB8k1pQ2DrZWOj2VjmLUrcieqqVPSjDnJTqHXbDj dIqAvYV3QnjJhnRsCOtQLEpQZpAG2Qfby8nSqF0BGnlR8fUxon6m2K81dWyla2n5VOiM rFv30qW7ab94xVfvjDjDIeLJQUXQBJx35VQJSQ2rn6U7m0bi56aDxQh1eKCh6JarLK7N +CnxuRQ7flUHbpwNm65ftUShO3z83VFElssUH50nXMLmLnZoNrcbL/PDcmmfBEHlAEFX MLmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qhSEZOTfMfTjLyRSA/+BS1JbfVw5d5vjqLjl7Qq7Ryc=; b=q8fQcSxibgWYV1ecZccpWZsh8Goyv8t1DDkXvsnI6tlzlc1+s8RHRiA1i+D6f8IjV0 KesyBhxE1fvAKvEZbMMNaIoyLKg73wMuIQRQXLBrDgGGNvbuCOLjdm7qfJxKxv7Pjy9W 1TGN4CkrncV4dmv0nVD1TSJ4sifT+QBH9M9190pAOv7mE6lnObY1196alBN4rLBqAV07 rLKupAVGM0716SkolLHtnToQ62a3NePMSCQw6Xp7vDvaGadG6tFSYQ++hpOVaEwx6P2E HVc4Rrv4Fo7inElAXBNwm0X0pBJB60xF4uGGBhyfINkYKiRKK2Dwy3igY1chzwuaTpU2 Dd7A==
X-Gm-Message-State: AOAM533oxQQFo6vbheIUoQhN5/wMQZ4vMDOmdAjOSdHHrkHO0xBuI1ZA uWr6GVI48wb342AOvFQCx1RmqVfshkEYnTXFVjt+dg==
X-Google-Smtp-Source: ABdhPJxhXirAWCwBhmtcUKIaMBAKX930PUBQrTxrrSmOvmezJcEx0WhQMidqpwYQx9ZMxKqbwVD9TB94Do8Z3snbiFg=
X-Received: by 2002:a2e:870d:: with SMTP id m13mr11327140lji.64.1612204254574; Mon, 01 Feb 2021 10:30:54 -0800 (PST)
MIME-Version: 1.0
References: <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com> <ca4c526e-79a0-4fa7-abda-2b626795f068@www.fastmail.com> <3409F71E-4CE4-46BB-8079-BFBE9BE83C9A@deployingradius.com> <66157321-55DC-4831-8EF2-D75934D9024C@deployingradius.com> <20210129183220.GI21@kduck.mit.edu> <1A830492-3404-4BCC-844B-D7D950458BD9@deployingradius.com> <20210201171155.GB21@kduck.mit.edu>
In-Reply-To: <20210201171155.GB21@kduck.mit.edu>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 01 Feb 2021 10:30:43 -0800
Message-ID: <CAOgPGoA9FqzEGr5_XVYVr2bairdWdNV-Bh8PX462cRKcSrjpug@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Alan DeKok <aland@deployingradius.com>, "<tls@ietf.org>" <tls@ietf.org>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6560a05ba4a8d78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/DIJKZwg55TctYD7jsD51q9atmLM>
Subject: Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 18:31:00 -0000
On Mon, Feb 1, 2021 at 9:12 AM Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi Alan, > > I'll second the thanks for putting this together; I think it covers the > important open points. > > I did belatedly remember one more thing that is perhaps not critical, but > would also be good to get an answer for: > > On Fri, Jan 29, 2021 at 03:00:51PM -0500, Alan DeKok wrote: > [...] > > > > DISCUSS: other than word-smithing the above points, are there serious > objections to the behaviour documented in -13? i.e. does the IETF want to > recommend that EAP-TLS alpha testing begins *now*, or should it wait until > 2022? > > I think that an exchange between Martin and Mohit raised the question of > whether the EAP server-id and peer-id would be available for use in the > 'context' argument of the TLS Exporter, as that would help strengthen the > binding between keys and the authentication exchange. > I do recall a mention that WolfSSL doesn't support a context argument for > the exporter, but I don't know how prohibitive that limitation would be in > practice. > > [Joe] This could also address the early export of keys before the peer is authenticated. RFC 5216 provides a canonical way to create these IDs, but I'm not sure anyone follows it today and it may be difficult to implement in practice due to ordering. It might be simpler to just specify that the end entity peer and client certificates are used in the key derivation. Most libraries provide APIs to get the raw certs. It looks like the WolfSSL API that Mohit linked is specifically for RFC5216 EAP keys and not a general exporter API. I'm not sure if they have a general exporter API. > -Ben > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- [Emu] Benjamin Kaduk's Discuss on draft-ietf-emu-… Benjamin Kaduk via Datatracker
- [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Alan DeKok
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Salz, Rich
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Michael Richardson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Dan Harkins
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Michael Richardson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- [Emu] Fwd: [TLS] Fwd: Benjamin Kaduk's Discuss on… Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … John Mattsson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Peter Gutmann
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Salz, Rich
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … John Mattsson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … John Mattsson