IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

"Owen Friel (ofriel)" <ofriel@cisco.com> Wed, 18 September 2019 12:45 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8867D120233; Wed, 18 Sep 2019 05:45:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jWjID/8G; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ZA8JUTD1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjYsLkkXzLjq; Wed, 18 Sep 2019 05:45:13 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 777B5120232; Wed, 18 Sep 2019 05:45:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2293; q=dns/txt; s=iport; t=1568810713; x=1570020313; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Isrcchlg7GesdRGPYDalFSkIIyO9ezcvmOo1+L4jHT4=; b=jWjID/8GBZVPXb3iDsJOS0ij0jM2wEokN9bK3LklwPUBk7S6x3XQEzFL TUW5nbLjRZKOUgvy86vpkUyi182Y4Xh8Va799vufFdB4rKb3CrT0uXs2O cOZ4LzLFEa2z/586hswxhVu3Tw/RO5s7eTDdwkFTlVnkupLYqsgkeOcPs M=;
IronPort-PHdr: 9a23:ma6XXhfL8oxDNyTh88bxBSxnlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/aCIgHclGfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CvAAA/JoJd/5xdJa1dCRoBAQEBAQIBAQEBBwIBAQEBgWeBRVADbVYgBAsqCodfA4p4glyXc4JSA1QJAQEBDAEBGAsKAgEBhD8CgwMjOBMCAwkBAQQBAQECAQUEbYUtDIVKAQEBAQMBARAoBgEBLAsBCwQCAQgRBAEBAR4QJwsdCAEBBAENBQgagwGBagMdAQ6lJwKBOIhhgiWCfQEBBYUIGIIXAwaBNIwJGIFAP4FXgkw+gmEBAYE3FBiDO4ImnhuOYQqCIpUemSCOD5kJAgQCBAUCDgEBBYFpIYFYcBU7gmxQEBSBToNyhRSFP3OBKY4qAYEiAQE
X-IronPort-AV: E=Sophos;i="5.64,520,1559520000"; d="scan'208";a="328449687"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Sep 2019 12:45:12 +0000
Received: from XCH-ALN-017.cisco.com (xch-aln-017.cisco.com [173.36.7.27]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x8ICjBq2029115 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Sep 2019 12:45:11 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-017.cisco.com (173.36.7.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 18 Sep 2019 07:45:11 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 18 Sep 2019 08:45:08 -0400
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 18 Sep 2019 07:45:08 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=egP7l+/mm3CjH6kNy8sIX3SwwROgeW40paGkUtzycMDJoINXmn/w9rnAFDq8k3z98rBVwQLlRv6qhnp0ivatbQiORcOyTM52MNTS4JjUCzKpyxiZEt/6rR2OCe4Ng1y3qG/PrnqXDwrmyK+0MOVjsvcEZ43JugWj87HUwgzO7IgCtcB61WXdKoEORzVPS9uMuXIRlC34/muYxfSCWQ0avRmqhMHcxxVNbd/pgSh6CwBBcDnaQ+YeR7S06F3/2VErasLFZCSxEKpgQ+/VgDtR/F3CT63UZkSsvDnhdmmznr8NtspKle+rEKQi7Wd+8s8K5TGxazy4hqdarLBLSJZO0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0eWp6816NV0C+m1j6PKBTSF7TYZaDg3sCe0ZqTwHQxg=; b=BGypwlctsp50dwUAQ/DARuZqKpqePtiQ195su70OP8PCDX2lzftZ+LixaYrI15uEKVwnoCtWeO151xRwFdDOmMZo5zStcWX7v6WlYkBbKasuW7Pc5rJBFRIp7sch768AzlzJbbkG66JWhjhpCvK502fYHFjaz/XNhJ/DK44qP99duHeLUcmwSA03NHPj87XqrXs2P7KaYnUT/49+3DeTll1QQ42cZtSX14HvXaJeweKRys37qe6es/45abjaoTRm1rkcwcUcT2+22Rao/zEKN0H7hB/BnHA8J+u0FXWpAV6JGXq3zYc86DpOW/f+C0bMEKDCz4t14sx98ZtQNbTMwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0eWp6816NV0C+m1j6PKBTSF7TYZaDg3sCe0ZqTwHQxg=; b=ZA8JUTD1hR0iGddirj2hGlWLZ9ty+Cpu/oKSBzxd0jdkjhrec5V8huPcpwYpTJAJS7XH7JDzulZiV1s5008AXrpSNhVbmoDOFSFv6K/3EcVe7DgiY+KgmH3eDMrV1LzcW8QVyAYCQw68d6onXP5ve7pXOLePkhi4BhSAxG0ZBow=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2293.namprd11.prod.outlook.com (10.174.53.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.23; Wed, 18 Sep 2019 12:45:07 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127%9]) with mapi id 15.20.2263.023; Wed, 18 Sep 2019 12:45:07 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, John Mattsson <john.mattsson@ericsson.com>
CC: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Thread-Index: AdVKJoKyKr1G5+9hQuKLAEK5rLYqPgfSdnOQAABeFAAABkCJgP//55mA//bAJjA=
Date: Wed, 18 Sep 2019 12:45:07 +0000
Message-ID: <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com>
In-Reply-To: <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [64.103.40.21]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 280b725f-8b69-4017-da19-08d73c3608f7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2293;
x-ms-traffictypediagnostic: CY4PR1101MB2293:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <CY4PR1101MB2293AC2DBAD01BAEF1639EF8DB8E0@CY4PR1101MB2293.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01644DCF4A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(396003)(366004)(39860400002)(136003)(13464003)(189003)(199004)(14454004)(55016002)(81156014)(9686003)(71190400001)(8936002)(486006)(66066001)(256004)(4326008)(25786009)(33656002)(478600001)(81166006)(6436002)(966005)(8676002)(305945005)(99286004)(110136005)(229853002)(71200400001)(446003)(6116002)(76116006)(2906002)(53546011)(6306002)(52536014)(66446008)(66556008)(54906003)(64756008)(66476007)(7696005)(316002)(86362001)(7736002)(74316002)(3846002)(66946007)(76176011)(5660300002)(11346002)(186003)(102836004)(476003)(6246003)(6506007)(26005); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2293; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: aR5iAtZudayiMTSzZXVzb1dJ4dZ/y5z8HF/cihxfD+RQgC9+STxO7Fp51hhijY7Ly0PqiHlWhkUfJ8woe9QuGY7jOxI4IIBZpRFZIay6yCFf2d7aa1RmYfkE7q3HQP8I9x/81swNbox08nYVyPz7petEoi1uJsgPsOHdynjeU+L+CE21ZRTCVYTmrHSi51O6dK9Zcr/yngHJLBF/mNbIP3GSm0JX6VkWaOg0gdwBbvXLlKjOC4Al2Ll6KA0SQp49F0VldcU1GDtPjLhCoWyFh7J/P4uNYvJeE6MSydcB2pjrbnT8jVynKeVU9lnVHXZ2capbM22A6Fy1dIIx7E+vlu96yNjRjqB9jhBbm0CuzhGEdb0UPBowPhWFVkvnI7XxvtVNsLOP2azE6mT4GBCX1FzE1tEur/Ihsb2j81n1T2s=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 280b725f-8b69-4017-da19-08d73c3608f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2019 12:45:07.1921 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O5gssVDysgS+RXmHyubc4RWVgG/3zhNqfCJ5UtRzzbTBkkJCfRzHZHfaRnzhqxsa4xFo/Cixa/dFH/8tdAQyaQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2293
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.27, xch-aln-017.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/JkZ4th6_LiExZUQS1lbH_hz-p2A>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 12:45:17 -0000


> -----Original Message-----
> From: Emu <emu-bounces@ietf.org> On Behalf Of Alan DeKok
> Sent: 12 September 2019 16:28
> To: John Mattsson <john.mattsson@ericsson.com>
> Cc: draft-ietf-emu-eap-tls13@ietf.org; EMU WG <emu@ietf.org>
> Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
> 
> On Sep 12, 2019, at 10:55 AM, John Mattsson
> <john.mattsson@ericsson.com> wrote:
> >
> >>     See Section 2.1.2.  TLS 1.3 uses PSK for resumption.  As a result, we
> *cannot* use PSK for >authentication in EAP-TLS.
> >
> > I don't understand why this could not be done. My view is that allowing PSK
> authentication would be quite easy.
> 
>   How would systems tell the difference between "raw" PSK and
> "resumption" PSK?
> 
>   When allowing resumption, the server has sent a PSK identity in a
> NewSessionTicket message.  The client caches this and re-uses this.  But the
> client signals that it is performing resumption via the act of using PSK.  There's
> nothing else.
> 
>   Which means that if PSK was allowed, the server can't look at the packets to
> distinguish resumption from "raw" PSK.  Instead, the server has to look at it's
> resumption cache which may be in a DB.

The server can use the PskIdentity in the PreSharedKeyExtension to differentiate between an offline PSK used for authentication vs. a PSK established via NewSessionTicket.

There should be no problem here, and the statement

" Pre-Shared Key (PSK) authentication SHALL NOT be used except
   for resumption. "

should be updated to clarify.

> 
> >>> While there is the EAP-PSK method, I would much rather use EAP-TLS
> with PSK because it >provides identity protection and perfect forward
> secrecy, unlike EAP-PSK.
> >>
> >>     Use EAP-PWD for that.
> >
> > Standardizing EAP-TLS should only be done if it has some significant
> advantages over EAP-PWD, and there are people wanting to implement and
> use it. 3GPP is e.g. adding  identity protection and perfect forward secrecy to
> EAP-AKA instead.
> 
>   I would prefer to forbid PSK in EAP-TLS.
> 
>   Alan DeKok.
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email