IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

"Owen Friel (ofriel)" <ofriel@cisco.com> Thu, 07 November 2019 17:30 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E763F1209BB; Thu, 7 Nov 2019 09:30:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WV3iawOJ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=dhZS+k9q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFabPTJsosda; Thu, 7 Nov 2019 09:30:24 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C3D1209DC; Thu, 7 Nov 2019 09:30:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4890; q=dns/txt; s=iport; t=1573147822; x=1574357422; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=9eF+tRjnHOMa8hePwOOpzLVxAhnnq0qruQtUexuW7DA=; b=WV3iawOJrmVLaqxLGkTNAc7r8kPtA40UJ2pWit2fESTfvGMS0nzdzAq7 Nupkn4AUxr4jTrpYEqwZfI97m+oE+ck+Dk6oBwYzhjsvpO8T8SABh9iTu RvUD6LxIGrf+aDKU0gRX6HF7cEcfmvaPTtNPTRUcuDnt596bsGsh/11rG Y=;
IronPort-PHdr: 9a23:pf10NxN57BEJ/MhFARAl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEuKQ/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBj8IuTrYigSF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ApAAB7U8Rd/5ldJa1kGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYFtAgEBAQELAYFKUAVsWCAECyqEKYNGA4sCgl6XfoJSA1QJAQEBDAEBIwoCAQGEQAIXg3ckNwYOAgMLAQEEAQEBAgEFBG2FNwyFUQEBAQEDEhERDAEBNwELBAIBCA4DBAEBAQICFA8DAgICMBQBCAgCBAENBQgagwGCRgMuAQIMA6dnAoE4iGB1gTKCfgEBBYE0AYNWGIIXAwaBDigBjBMYgUA/gRFGgkw+gmICAoFJGE2CQTKCLJAHngEKgiSHF45FmXKORogxkTkCBAIEBQIOAQEFgWgjgVhwFTuCbFARFJA2g3OFFIU/dAEBgSaNcYIcAQE
X-IronPort-AV: E=Sophos;i="5.68,278,1569283200"; d="scan'208";a="367596235"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Nov 2019 17:30:20 +0000
Received: from XCH-ALN-014.cisco.com (xch-aln-014.cisco.com [173.36.7.24]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id xA7HUKTi011165 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 7 Nov 2019 17:30:20 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-014.cisco.com (173.36.7.24) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 7 Nov 2019 11:30:19 -0600
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 7 Nov 2019 12:30:18 -0500
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 7 Nov 2019 11:30:18 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IBUhrWIb2wN8AUZ6OshrmMa6a2Yzet59/srkHP4UUpJ95s7/eGqxU33te0gNVedh1+0jRIHLNhjUNdtH6qwvBz7i070OD91FkNf+T1k/KvxFwP4JzGlv+rGX6vHoAKMyvnrpyHdccETZKgvCI740KDxz95V62Y786SPIY5/Qm7shFxg4KzZy2ALddvsUJ0N+MhBpSB4drhipJtLvIqp22n8bcyqe/eIyKE77npG1+6ZDXW72YHfGLvmBQKEcHisg6YZ+LKz0t2FIxfSlTklwJiT4vSGahQaZAT2bwlOCmEAPb72AJU8xfbeggGIJUrG3m1SdHlFf8W2BD1nCnqApaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9eF+tRjnHOMa8hePwOOpzLVxAhnnq0qruQtUexuW7DA=; b=AFEhfNdzcAodt8RJWCopFV3chQxQ1lGT9AJM0b+a8Z/nobEypxuP9KjrG3I18mGAyKnUjF4LcZkuO1ytaSql7mzh94Q4gjuIkrpyV7jPYcJF7be8uKOmZlciAoTnKLZn6aXt5Le0p0jHKAMjUJqXDO4u7wFzKK4sHfw+w2XTo8NYsf3BPYgcBMs/J1sj9TBY2NxdKmZOngm5D2sgGJ5RGm7aJA62O9QzmgfCA7mo99ZCJoeTDgY5Ln9SKP+qv4lUxM00oHP1cv8fGF3EWWQaUeXqk6FDTjgikAuqfCIT0pqGTAVlZDwijtnMAO563Zw0XlpKCcViW3fH++42UGeQnQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9eF+tRjnHOMa8hePwOOpzLVxAhnnq0qruQtUexuW7DA=; b=dhZS+k9qsjPNeLVw9myNM0yHVbStVnNQjKfNXsRdaXYVtJEj7YJvMkysN1Ur1bVvaoojAYX5FZU174PxYW/czYy3ju0hwGclEM/xYyeEYXyub7+IP1MFV5GBBikccnY+PrCP9MNMGp56gp7+98t9z1Nub1fUluD5OlfKRNh0lVE=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3648.namprd11.prod.outlook.com (20.178.252.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.24; Thu, 7 Nov 2019 17:30:17 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2430.023; Thu, 7 Nov 2019 17:30:17 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Joseph Salowey <joe@salowey.net>, Alan DeKok <aland@deployingradius.com>
CC: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr@sandelman.ca>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Thread-Index: AdVKJoKyKr1G5+9hQuKLAEK5rLYqPgfSdnOQAABeFAAABkCJgP//55mA//bAJjCAEoqCAIADGZ8AgBnulgCABSSTAIAB0o2AgAAF5ACAAC3sAIAABveAgB1CFQCAAD1cgIAAJDQAgAEmKQD/9DAisA==
Date: Thu, 07 Nov 2019 17:30:16 +0000
Message-ID: <MN2PR11MB390137BA293101102515A3AFDB780@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com>
In-Reply-To: <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:4041:1300:6d98:e3fd:9fdd:799e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4f2da44a-54d3-413d-5a13-08d763a827f3
x-ms-traffictypediagnostic: MN2PR11MB3648:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MN2PR11MB3648BF3C0EB6AAA0C9128D1ADB780@MN2PR11MB3648.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0214EB3F68
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(366004)(376002)(346002)(39860400002)(13464003)(199004)(189003)(478600001)(99286004)(4326008)(229853002)(966005)(8676002)(14444005)(256004)(86362001)(81166006)(81156014)(9686003)(55016002)(6306002)(14454004)(76116006)(6246003)(25786009)(52536014)(66946007)(66556008)(64756008)(66446008)(66476007)(110136005)(486006)(476003)(7696005)(74316002)(305945005)(102836004)(6436002)(7736002)(66574012)(446003)(11346002)(316002)(76176011)(53546011)(6506007)(6116002)(5660300002)(46003)(2906002)(54906003)(71190400001)(71200400001)(186003)(33656002)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3648; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FgC0JyB0P2VVlVG5T6gENu/N2qqNHZ1UeGckE1wZzKj8Zr66B2SGnhfgtR5eWG22X+ddK8wg8vpQf68FF41U8MnqVlPcCLSxgcfjTXB3RRJe/b/LNU1p+OCIEBmRFw+dPL2o8zxVdNAAzwsqcX4IPpy4chfxsgHVdhhTWDqpJV9sZZc8WQ0nEkghNtbCBC5lqHe3MxHb/x50DPMS5ynDZsMHS3Tm0SG22kerpP81SUZCboOikVcKvfmIoIdZJ/tBjENs9CD0TZrAytpNVlzevcHcj3+CQCPHxi+qA5/5oAL/sk/9FAAr2A37pOQ2YJo6A8o022HykAWpvaIZaTlmdRC/O9u0QR10mWZ9TiWcml8WEJthlLKwAbTbTZudENFki34/zvhUI9ZW7yyyiMd+emhM+WIaVvfio1gP7wmbTH9o5NbFo3GmnDQzDTBIJ6zSAtuO5QSn5osvNEmPHkKFYsg1HRMegjKKwv0QIg/3vo0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f2da44a-54d3-413d-5a13-08d763a827f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2019 17:30:17.0120 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HEY4hL8L5AZ/CmTH9+9vVUebKi2VBp+eFTm8fqn6URd9bMnoDTvC3zY9zp7R0VvfSs8wUc87SPxo7YN8QPnwAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3648
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.24, xch-aln-014.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/HJ9Njpasz8xSNvU00eqJ2tr9Nxo>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 17:30:35 -0000


> -----Original Message-----
> From: Emu <emu-bounces@ietf.org> On Behalf Of Joseph Salowey
> Sent: 31 October 2019 04:45
> To: Alan DeKok <aland@deployingradius.com>
> Cc: draft-ietf-emu-eap-tls13@ietf.org; John Mattsson
> <john.mattsson=40ericsson.com@dmarc.ietf.org>; Michael Richardson
> <mcr@sandelman.ca>; EMU WG <emu@ietf.org>
> Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
> 
> 
> 
> On Wed, Oct 30, 2019 at 4:12 AM Alan DeKok
> <mailto:aland@deployingradius.com> wrote:
> On Oct 30, 2019, at 5:02 AM, Eliot Lear <mailto:lear@cisco.com> wrote:
> > A fair argument, if it can be made, and I am not convinced it has been fully
> expressed, is the idea that there is no context by which one can separate fast
> restart and initial authentication.  This is Alan’s concern.  I’m not saying it’s
> without merit, but what I cannot yet see is whether it is an implementation or a
> protocol matter.
> 
>   I believe it's a protocol matter.  In TLS 1.3, PSK handshakes are the same as
> resumption handshakes.
> 
>   It's not clear to me how this issue was addressed when using TLS 1.3 with
> HTTPS.  But I do believe it's an issue there, too.
> 
> [Joe] Can you elaborate on what the issue is?  I think most TLS deployments
> operate in either a certificate based mode or a PSK mode, but not both at the
> same time.

[ofriel] TLS1.3 explicitly does not allow both PSK and certs simultaneously. draft-ietf-tls-tls13-cert-with-extern-psk does, but that’s Experimental. I don't think TLS with extern PSK is really intended for Web/Browser HTTPS connections. Its more for devices/things which are preprovisioned with the extern PSK.

In TLS1.3, by design the protocol does not differentiate between resumption and external PSKs, and says nothing about PSK ID format, as commented here https://mailarchive.ietf.org/arch/msg/tls/Q5K8HSPPgLRojQwXbV4ZTIxBIH0 , https://mailarchive.ietf.org/arch/msg/tls/X_z8pc3oS2Au7KajjMhlWhP1UPc 

And its application specific how the two are differentiated, the spec says nothing about it: https://mailarchive.ietf.org/arch/msg/tls/btLnZERYv8GJJ2PFUksjNsDyv8o

I still don't get why EAP-TLS1.3 should place restrictions on use of TLS1.3. Surely it should be an EAP server implementation decision on whether to support that feature or not, but we should not preclude a specific EAP server implementation from supporting extern PSK by disallowing it in the spec. If a particular EAP server does not want to support extern PSK - that’s fine.

> 
>   As an additional note, I believe it's also important that draft-dekok-emu-tls-
> eap-types be published at the same time as the EAP-TLS document.  The only
> unknown there is FAST and TEAP.  I'm happy to remove them from the
> document.
> 
>   But at this point it's not even a WG document.  There's not even consensus that
> the document necessary, which surprises me rather a lot.  Because password-
> based EAP methods are *much* more wide-spread than EAP-TLS.
> 
>   If the IETF publishes EAP-TLS without simultaneously rev'ing TTLS and PEAP, it
> will not only look bad, it will *be* bad.  And the industry press will (rightfully)
> lambast the standards process.
> 
> [Joe] We need people to contribute to the document.  If we are going to publish
> a document through the working group it needs to at least to include TEAP.   I
> know there are folks on this list who are implementing.  They need to step up
> and help with this document and the TEAP errata.
> 
>   Alan DeKok.

v2.23.0 | Report a Bug | By Email