IETF Logo Mail Archive

Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt

Alexander Clouter <alex+ietf@coremem.com> Sun, 03 March 2024 12:40 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99632C151094 for <emu@ietfa.amsl.com>; Sun, 3 Mar 2024 04:40:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="j5nxiR3w"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="TVyv2ulA"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3x-iAcU_CYi for <emu@ietfa.amsl.com>; Sun, 3 Mar 2024 04:40:29 -0800 (PST)
Received: from wfout3-smtp.messagingengine.com (wfout3-smtp.messagingengine.com [64.147.123.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9929C15107A for <emu@ietf.org>; Sun, 3 Mar 2024 04:40:29 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.west.internal (Postfix) with ESMTP id D1DB41C000C2 for <emu@ietf.org>; Sun, 3 Mar 2024 07:40:26 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Sun, 03 Mar 2024 07:40:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1709469626; x=1709556026; bh=0ZPBdTpiwy IJrcDStHMdUDD8O8Z39P4vu7eAnaLJizw=; b=j5nxiR3wsm09N6jXIywoZ4YtxA 2NAdUe4jdZcpVmiiElAYBw2VTvYYrV+mzHZAW4bMA+a/wW3m9nCR9hnVFrIqj8JE nfcVaNE5X6F1eUomiro7eXnNXHTEMhAOFkjZVPl09LTpIRW8XJmD6bwOuA6XT23n wPV9RGvahS0rIZogSFJSQRsqtgR+NhGmm+zp+bSF9/o2eH6C8MUt5HYRy8SSUhqE Ugngjf3UDjKDWHI3Gurz6YYi/p1/2Lagh7zhFpyyv03GDcqW+k8QWWuZA2DG+Iv+ 0dVIVMeDtKR3kz0tG/KNRk2QMA5FnCk7ohLPn9QcbB/DSvO9ZCOzbo0gwPWg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1709469626; x=1709556026; bh=0ZPBdTpiwyIJrcDStHMdUDD8O8Z3 9P4vu7eAnaLJizw=; b=TVyv2ulASKYS1PfsdwzSjuN7+EY+KpNXwfLQI1RWc3Cs QtrMqfm7zDvJx2i58Z5beG9lu6QbDYhGVAl77ClTExQo/UAb9DgsC9Zs3Hiq/bK2 8yVxlU+q+Eviw7qP+75uw8FCJkZrJou6h8rvOvVujCmWpUCqEDlUomdLCPunlG+D Sg24hkgiNaisRjmV1pu/N+V79S/ijxeB0mUIs5tlhMGVcSa5OblCe/u8qy7v6F6Q FOkPnNCGc53kE8Jx6kEf4XKtZvEfTDGXJywcxhch7RT3tiL9N16dKZg1iSqXJnkR CThsHKYf+OOm+dU5LhpF2QadvBPe4xaFsWSZu20xrw==
X-ME-Sender: <xms:um_kZckJhrX0efRQqYkRw-uO3FxAzj6EnwjG6FLsfulE0EKbJUnpvg> <xme:um_kZb3cHlIP29JrLTYQPFMZz4yaMvLLp2_Mum-E7f3W-MK3iPpQUt6U6qr0-H9Uf xy8ys9B5V06d99quA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrheehgdegvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedvteejhf ehgfegleeuleefteeikefgvefhheekheevvdekueefkeeiieffhfdvgeenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgidoihgvthhfse gtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:um_kZaoiEg2kGo7OqqvrNhhIIEnhXkDt2uF7WrrwaXXqOL_bS8aJVA> <xmx:um_kZYnqeIFQwUAIfbLwajJXQrJuQL6WEDFQQSBrfcBXC1IpM6xT1Q> <xmx:um_kZa22wgOudz-Ji-wYVd415672VNhzCvPRJahADoH6VwVfPnG1kw> <xmx:um_kZf8qvbONv7tyuHWvfdwQjAa-Q47YMs1oy87ILkW-7OlPuIjgqBs8RRg>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1AC132A2008B; Sun, 3 Mar 2024 07:40:26 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-205-g4dbcac4545-fm-20240301.001-g4dbcac45
MIME-Version: 1.0
Message-Id: <c2951f3d-bcc7-4b90-bcdd-077a506dd464@app.fastmail.com>
In-Reply-To: <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de>
References: <170932527085.22824.18343512124707075119@ietfa.amsl.com> <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de>
Date: Sun, 03 Mar 2024 12:39:21 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: EMU WG <emu@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/L2c3R_l67uQy0NNy27eVb2TsrHk>
Subject: Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2024 12:40:34 -0000

On Fri, 1 Mar 2024, at 21:08, Jan-Frederik Rieckers wrote:
> Comments are welcome, as always.

Section 4.1.2
-------------
It just popped up as an idea in my reply to the the SEC review of TEAP but...

EAP-TLS sub-methods have been copying the version bits since forever. Maybe it is time to break the mold?

You could instead mark the version field just as reserved bits and move to use TLS ALPN to indicate version as it solves all the problems of downgrade attacks.

It would though require a registration for the entry. Fortunately, this is the initial version, so you could just use "no ALPN" as the indicator and make it a problem for 'future you' to seek a registration when you want a v2.

Section 4.2
-----------
This is almost impenetrable. For an implementer, it helps to be able to see what you have to build and using existing RFCs as an example, working with wire serialisation formats it really helps to show the structure, either through (A)BNF, explicit structure/records like in TLS or the literally bit packing.

Of course for this fancy pants CBOR malarkey, this will not do, but it looks as if CDDL (RFC8610) would help make this section a lot clearer and probably would not be considered a big ask for those working with CBOR to gain familiarity with.

Is there a reason to discern the difference between 'request' and 'response' for each type? Do you expect the server to have a passkey to authenticate to the client? At the moment it looks like a bunch of extra conditionals I would need to add to my code, we no idea the action I should take if I see an unexpected one.

For the errors, I would remove the success/error/failure type and just communicate this through the *presence* of a list of error tuples (<type[enum]>, <fatal[bool]>, <description[str]>) in your map; you may wish to include here a '<required[bool]>' in the tuple as a way for the server (or client) to communicate to the peer "you must understand and not ignore this, otherwise abort".

Passing a list of 'Credential IDs' makes me nervous only in that how big could this list get? Thinking if you wore the hat of a service provider handling multi-tenant access for various clients and their users may have enrolled at multiple realms under the superset of your tenants. These things are at least 16 bytes so is returning 100 a problem? It is only probably around 2 round trips of EAP fragments or so which may mean it is a non-problem? Really, not stating this is an actual problem, I am just trying to put a crazy wild example out there to exaggerate where this machinery may creek.

Instead of a map for your attributes, I would be inclined to lean towards a tagged data item (major type 6) as:

 * smaller
 * faster, the implementation would be an integer compare/jump table (unless you *guarantee* keys are fixed 32/64bits length)
 * more familiar to an implementer in the EAP space (I do not think I have seen anything else use a map construct in EAP or RADIUS?)
 * I am a grumpy old fart and love my TLV's, maybe others share this opinion...about TLVs, not me of course! :)

Myself, I would fold 'PKID' into 'PKIDs' and make it a 'list of length one' when used, but really this is a matter of personal taste.

Section 4.3
-----------
Explicitly stating SHA256 is going to get you into trouble as hardcoding these things makes it awkward to remove them later (eg. MD5 and RADIUS)

Instead I would be inclined to mix your client component (the 'second' part) by using it as the 'context' value for the TLS-Exporter. If you look at the exporter (RFC8446, section 7.5) it is used to mix the label which I suspect is what you are looking for; not part of the secret which the client part is likely to be public knowledge.

This way, as future ciphers and TLS versions come along, you should not need to update the 'hardcoded' SHA256 as you have just outsourced the problem to the TLS-Exporter; the OpenSSL magic for this is `SSL_CIPHER_get_handshake_digest(SSL_get_current_cipher(ssl))`.

Section 6.1.1:
--------------
Do not mix the advantages and disadvantages into the same itemised list.

Thanks

Alex

v2.23.0 | Report a Bug | By Email