Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3

John Mattsson <john.mattsson@ericsson.com> Tue, 11 May 2021 12:30 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C61213A15E4 for <emu@ietfa.amsl.com>; Tue, 11 May 2021 05:30:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfOPWoKmmGPh for <emu@ietfa.amsl.com>; Tue, 11 May 2021 05:30:45 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2071.outbound.protection.outlook.com [40.107.20.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C04713A15DE for <emu@ietf.org>; Tue, 11 May 2021 05:30:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bDRoLy6+E/4zqeIyCCqGccz871pGaCDFgqzS3ugejytuIjxHs7gs/tX7Eu9esFAeynEbWJR4WXufJL2AlqJkmWV/P8t1jguCtQfjbdeIHAMqK7Lv8AsDzNbP9SbDXYZY8ejL9UW+yfMekwssgZI5awmE+jLqiO3poo92dkgbygral4nrwIXH5qHqcvHQMGXMWqsASW14IeDgcYbWlaHr5DSP36hx5euGNKhTPFs8gqWgTeLKQnsR+bdQkOYwwId3OQrrghfRsZv1DyUNQpnNUuHBpwTVHEmCl1RH+Lklwgmqf6EY200cKVH+aIM4aaTkfgFSIbIUnL0Lz4GKM6H8sA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jOvYsQpptO3FHXKKBMraK0sENgdR6cq3Qgh9AYP/ZQk=; b=CCLA12d3r9/cXLf/ZYPLa5de+UHuOI64rW1q4OHDxg5R7joCUa79ifX7G5mFv6XvE8RiLac2TKAiHbqM4gi87hxePWZkcI9i1PoDyIEkXLblaKMmTTKpuPVZUCcL8cnQgfyf5Qmm7/4L+lN0CSjuSkoR5+fLtb5gZSqIlYUAQ/cIvr+7soHSUpZLm//SB/gfxc4KS7rQAR/j0gYTcli+n4bycE49o7ZmdX/eRGMGQg9FCu8UyVKYnU2vgVOg6h52FnKu7vzq4Ts3s9V+Y6PQgzQV+/ffVSKk/Zb6qlCzg1g3U4XeuHdi4r0pneJCgQkJzMW/0WJLIpjzqNRv8n8e5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jOvYsQpptO3FHXKKBMraK0sENgdR6cq3Qgh9AYP/ZQk=; b=Ym0B81Y4h/flnweA58zBZaYiEzTWHAk/cghFQftsYcpVvMRFVrD64P+bzbi8+QsftQPQv0wnE6YYE7+U7ueja+79m1dH63OOiJ94AjPiUE5VcwetZ/PFElkzdIEWxj9vzcDidYpkA35Zhp1yTziPkqy8xxGp0PKjnWmFxGuatvg=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2394.eurprd07.prod.outlook.com (2603:10a6:3:70::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.22; Tue, 11 May 2021 12:30:41 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4129.025; Tue, 11 May 2021 12:30:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Meiling Chen <chenmeiling@chinamobile.com>, Joseph Salowey <joe@salowey.net>, emu <emu@ietf.org>
Thread-Topic: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3
Thread-Index: AQHXQcRMz5E09zWxoUumNY68vRxEnKrZQ9NLgAUdFIA=
Date: Tue, 11 May 2021 12:30:41 +0000
Message-ID: <997237B4-A9A1-4D03-94C7-94C6D7AB064E@ericsson.com>
References: <CAOgPGoBXRAABeC_kCcCrsUPC03e8C_GGpzJHB+aWAue5sE=9zw@mail.gmail.com> <2021050816243827234212@chinamobile.com>
In-Reply-To: <2021050816243827234212@chinamobile.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
authentication-results: chinamobile.com; dkim=none (message not signed) header.d=none;chinamobile.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 26b3e4f9-c43d-40ad-831e-08d914789774
x-ms-traffictypediagnostic: HE1PR0701MB2394:
x-microsoft-antispam-prvs: <HE1PR0701MB2394EAFA4FFF54978900C9C689539@HE1PR0701MB2394.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: O6kba8f1bph2Ccj2Z2NHUSzHlbgSyUHjdiBTQzslsvdWY2CtfbFm6LK4pclDxuHzxoaa+B642koNFwxB9zR4mXDmG7VBC2OG3dBgQdaNs0NNh1cKYSFhRI8KmfVChDpfM7izpabG2HIjeDbP1QyM3xIrQ2Q/npXhRs6KiIc0WXHvvc0ajhe11UOYmRFpEyRtaOb/JEMCMmTTjV9bl+WbGwCt1l2xo6CShvNb0PgpFOq6gK2p/R2IFYoqzEyk7O8JcJpjCwii9/x0mGCx+vya7y+8RkH9MfWaiFmm1MicSnGzYEI+qXht+zc8yZFaLbFzoJBw7WLhojjxlxfkb8ueh58ykRHUHgvPL1GET7eSY5vp8K98HCUf4lbCd6QBcSzacKvWOBg1qpx+P+PcAQm67NbjKXzffjmbKTlp4xgMivwZ1Z3loAJoZX9Cop7LphP0gxMHXI48mAwCDQ4SObwQZun2ogJbdbsNtccq3Uf6yZL9XVv7Xp/RPm973Y8NaeL7UoCNB/OQVs65GF3fXVWegPmp+524O6D24jS5Bjr15w061M5YCgX4/HIujfq59eXcoYvViFKYa8wUMQmkHA/KwJ1qkTtIgw6jxQnMruAP9lebENB73lBxmXmFx5t+0k55Wt1LZRJ4A8Wfr6JcLjk6Qxftga/IRSJWKdwsFO/3pSDYl4pmhJY9wwc02j/OLUnkwsiOX2fBbQG3c7A55pw3uqBXBzsEQubRRSz7gbAmv+GaDTxgqN6Eo2M4VG1JYsaNsblBBdZgXLViFJk2siCDNQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(396003)(39860400002)(366004)(71200400001)(5660300002)(26005)(186003)(6512007)(66476007)(64756008)(66446008)(316002)(38100700002)(2906002)(83380400001)(66556008)(33656002)(8676002)(166002)(122000001)(8936002)(86362001)(44832011)(6486002)(66946007)(2616005)(6506007)(110136005)(478600001)(36756003)(76116006)(53546011)(966005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?dDZoK04zUzdSZWM4ZDdpUHdQMG5yRG42SEdQUkJzbkJJYzZhRS9EaGJDQW1k?= =?utf-8?B?WDg4b1BiSDBvY25UZktSNHc0SzVOQWJpaThZa29yY1hLVTA3YjhwOGdKbXE5?= =?utf-8?B?bXBIdVhBU1pzV285Yk1qL0t2UFdpS21sclMvQVVGakVSNUUyL0hKWFZIOHF2?= =?utf-8?B?dERZcE5QeUh6N1dQa1hkNkwxVFk4RXJVaXd3c0g1ekxQakw1R2ZxVWhnZ3g2?= =?utf-8?B?VWFhWklLalEvNE9GY0prVHBiNVJlb0R4VVcrR24yRUxpa1I1R3Yva1g1SW9q?= =?utf-8?B?OVB2MDhaQ0JMNitLanYrUkpLTEJGVENyRXEwa0F6dGV4YzNCRTRPeWNsMGVy?= =?utf-8?B?STdJSTEyL0I2ZVU0YWxqQW9rcFowYm1MNDJPUHlXMUp3dTVZeEVNclNVWGo1?= =?utf-8?B?VE1PL3FwYTVhZ1Z5Y2NYTVRwT1o5RXcrQTNyOHpIM2lnNmJRTFdVTERrMjRC?= =?utf-8?B?cHVyc3pVMmNnMlVQbUlOdkw0TEE3U1RQZll2WjB2YlJScDN6a0EyV3dpVWJi?= =?utf-8?B?QkxDcGk0Vmt3R2pjMDRZOW9vb2Z6a1l5dHZpT1BXUVVkV3krWjhYRkY5ZzVo?= =?utf-8?B?eFJEREZrYkRDNnJhaExteVhERk5ZVmszNUl2RU1CTWQ1OWxwTVp4VUxNektw?= =?utf-8?B?SVBkZ3Y3dzIwMHRMdjMva3djcjBWU2VzYVV0M0VkWkRQTkRDMmsvU05zdlZV?= =?utf-8?B?Nzk3bE02VTF5MzlJZ290dU0wYU1tTVRTQ0RzWHFPdFpzZ21aMXN2S0hqeVBH?= =?utf-8?B?MFJRZXZ1L1JablQxK1VDYkV0SUNaeUx4bGg2RFpGRmZqb29uaE0yakdUclUr?= =?utf-8?B?djRjcVhuN0FybEVHejFQV2hlSHlRdzdMVXoxNU9QWnpzZGNoVVh4aitqVGVT?= =?utf-8?B?SlhtSVBCU0tzYTJ6MlpIaGw0SE1RVHJKTW1MUngyelE2bjJaSm03T0p4S1lC?= =?utf-8?B?N21sWTEvTU15Ujk1aCtYb2JLSWpUZTQ4OFFkakdwNjNlVmNsU09tYzRxNXdt?= =?utf-8?B?aEV0c2NiUUcwZ3ZXblZQYmRQL2tpQjdMMDNLR0tncWtTQ24xNUdScC9NOU5D?= =?utf-8?B?Q2t5ZEowTVJ3WldCZkQrTHBSbTBidVFHcnJhUjVmVWt1WjNvWTd6eGpnYnEz?= =?utf-8?B?anlVQ2Fra2VWb1RUbGlacWF2SEFxQ2huMzZQMEtpWjFTMHdwY2ZQM0QybDVR?= =?utf-8?B?M1BqS2U1ZnVWU1c0ek5DOVNDOTIxcm5uQ3Vyc05zbTljQTVTbVNBczlPQ1BC?= =?utf-8?B?bnhrQkZWeW8zUDdQUVU3cW11SzZxb09LTlJ4NmhGVk5VZHE3ZGVsc1h4Vkgy?= =?utf-8?B?M0wyd0gvYWlJQVNzdGloQmRDZ1FBVThjZUEweWUwR0JlbTNsVVpVTEUwd09U?= =?utf-8?B?M0xiTlhUK2ZRenVQTDlJbHJMc3M3dDA0RjVqdTc3TlIrK1dJQTBvZXEvTm0y?= =?utf-8?B?eml1eURucHdpR2N3R1kxbkpHMlh3c3lxV1pSTDRwcVZKdTFDdUZCRGpNSVpD?= =?utf-8?B?Y2VuLzMrMExUQUZQYXk1QnpYQkhoYTN2SlJ0TmZqeUNaM2FDcmFBUTBnMnRH?= =?utf-8?B?Ly9SQkZQR0ZxQWQraUtXTGsrRTg0cUJrUzdVTUZKOFJoQlNFTVpsMGNKOFE1?= =?utf-8?B?Qk90eVBaUGQ5b2RuUzV1b2w0alI1cVJVMmpMK1VEWFJJc0R2L01Gb2lnUW1u?= =?utf-8?B?RlpEMTRNNGV2bDBNRFRlU25MYkd6S3VmU2dwdnNpL0ZhK3loVkpDSTNOclk1?= =?utf-8?Q?+6w1//b39zIutklQcIjFrxHbR9VZ9xsYnDEq2vA?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_997237B4A9A14D0394C794C6D7AB064Eericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 26b3e4f9-c43d-40ad-831e-08d914789774
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 May 2021 12:30:41.7373 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X47NZgI4VlPTWRIGG1UVPSkYaHhjjerphNPXUQM+GOhqLSecOeDNF5cGV3WfPkNzXbwBAkwcILtyv5jIM04wHtidDFMyu2qxAXWDDLgj6OE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2394
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/HcEbrlFRZFLZn_LP_gtwdaXVIXw>
Subject: Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 12:30:51 -0000

Hi Meiling,

In version 15 the group decided to go back more or less to how things worked in version 13 where protected TLS application Data 0x00 is send instead of close_notify.  This is changed in a lot of places in the draft.

A big change from -13 is that where protected TLS application Data 0x00 is not a protected success indication as defined in RFC 3748. That the server only sends EAP-success after this follow from it being a protected success indication.

When reading through the document to write this answer I saw that there was some leftover from the commitment message still in the draft. I made a PR to address this.

https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/69

EAP-success is not encrytpted in any way. It is defined in RFC 3748.

Cheers,
John

From: Emu <emu-bounces@ietf.org> on behalf of Meiling Chen <chenmeiling@chinamobile.com>
Date: Saturday, 8 May 2021 at 10:25
To: Joseph Salowey <joe@salowey.net>et>, emu <emu@ietf.org>
Subject: Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3

I have noticed that there is one modification in the Figure 1 flow diagram of edition 15.
edition 14 has TLS close_notify message, but in edition 15 changed into TLS application Data 0x00.
in the section 2.1.1, it says" TLS application data 0x00 is therefore to

   be interpreted as success after the EAP-Request that contains TLS

   application data 0x00.  After the EAP-TLS server has received an

   empty EAP-Response to the EAP-Request containing the TLS application
   data 0x00, the EAP-TLS server sends EAP-Success."
is the data 0x00 that mean not send any more handshake messages?
another question: what's the format of the EAP-success measge, plaintext ot ciphertext?

Best Regards,
Meiling

From: Joseph Salowey<mailto:joe@salowey.net>
Date: 2021-05-05 23:33
To: EMU WG<mailto:emu@ietf.org>
Subject: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3
This is the working group last-call for draft-ietf-emu-eap-tls13.  Please review the draft, focus on the recent changes and submit your comments to the list by May 20, 2021.

Thanks,

Joe

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-15
https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-15

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-15