Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)

Joseph Salowey <joe@salowey.net> Thu, 08 July 2021 16:42 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACC7D3A28CB for <emu@ietfa.amsl.com>; Thu, 8 Jul 2021 09:42:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGUZI8P0sZaE for <emu@ietfa.amsl.com>; Thu, 8 Jul 2021 09:42:13 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 770763A28C2 for <emu@ietf.org>; Thu, 8 Jul 2021 09:42:13 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id s18so3445814ljg.7 for <emu@ietf.org>; Thu, 08 Jul 2021 09:42:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g9FlUSxZXXJyfToe0ZjRRVFUZU7kqIu6ojFpKJ7WieE=; b=XdmM5r9Q4GjViqreZZsizkMF3UqNmijabMeDlWLBZjVy5oqsfAgC5LblEwpVarTw2Z /WQRtEohpel7P7nRXkxfznLcg+ulPuEuc87LcKu0csMOJbwVMInJ2BPkmXL6yD8ED1KG cfg1KCgG/Ly6f2xDn/vg2D8slGv7AKqZvtGkIt838qPbhbmlNTFkO+05nrw4LGIU76N9 AiweaMIWWC56fTqYCNsy4ofBlz2GQOc70dShEXFI14ro2ImSBKKjeP/eka98st4IRJtM YdoUFWFa1v2pH6jmnNpHrrI1xQcoTnfvJDjxjJdngemTtkXruo9jBNoZOmUzJyamAzAc EZ6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g9FlUSxZXXJyfToe0ZjRRVFUZU7kqIu6ojFpKJ7WieE=; b=oSsyuwgqKPIdQVQ1aatQWqJldA3M8utB0yRS11PRBmt0Szn0C4KdJ/R04kpt3KaOg7 vT2wOxHnps0d3nJsRKN/YE3CzOJmdyzKmig5pbVyrimcW9jvSiTd208mDci7U9d8Zdva /ouVOCA0LG4zwNLyBM9MIO5S6bXkf9W1+ue0XSZV4lXOK6XUc7X0P0rKnK6ux+YDkNVb oR6bEFSV5BQCKX1+12vMSXdKoAzh1ThFf56nFzsKrUVoOfuGBl+dIHs+rV9EjsLqY8Wk A+XI5twe/qEYRbhbhYEP4nakvRhpw3Y+rb0zcVX7Wh3qr2lJYOj26dnT5hrdB4dlHRRK 1QMg==
X-Gm-Message-State: AOAM531MPPNqO+oLnc45weui2i4dj2ICkXUsUMlvUIBJ5bR6G3NjYzaa oS6gwfWBdJZ4vWlmtbM6VcJHKETW7y95wXQNddidmg==
X-Google-Smtp-Source: ABdhPJzX1QswBEZIePbQgr+aIYIbSpnAgWdjD8mKIjQLI5g//ZIMrLaszb5QpXGMvvjQm1zjL7hmfs9mfVOBCIQYaG4=
X-Received: by 2002:a05:651c:481:: with SMTP id s1mr11761740ljc.444.1625762530949; Thu, 08 Jul 2021 09:42:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoDX9HdmgvmnWz_xUTqXMM7pd4_T9W3opFR77ce8CNWdQQ@mail.gmail.com> <CABXxEz9GSgGof6t_3w3AngH6-FrMbKzDGKpDS90-N2gtmgqgnA@mail.gmail.com> <CAOgPGoBLb-70jynH7o26nyF4T=+ZcCk6GMb6zyXk6E8+erTjqQ@mail.gmail.com> <CAOgPGoADC_z4v2pUOAXC+HW1-P_OOuLOL5zR9tBjTCXXV7-22A@mail.gmail.com> <2c67a3b5-de25-cd3e-5b7c-e01e11a05ab1@ericsson.com> <CABXxEz_XKE6JqQfZR5VKA3jsA1wUzCeSh-eUNgzxMaLfVau5bQ@mail.gmail.com>
In-Reply-To: <CABXxEz_XKE6JqQfZR5VKA3jsA1wUzCeSh-eUNgzxMaLfVau5bQ@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 8 Jul 2021 09:42:00 -0700
Message-ID: <CAOgPGoDAYsH2arey-SPykbZaki7Xq-QuWWvK6p9Ux2cRK6OP2w@mail.gmail.com>
To: Oleg Pekar <oleg.pekar.2017@gmail.com>
Cc: Mohit Sethi M <mohit.m.sethi@ericsson.com>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000258f3705c69f56b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/LsBQPPoqQek_BqIchBhZIp6o36Y>
Subject: Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 16:42:19 -0000

I created PR that I think captures these suggestions and another editorial
fix - https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/87

Cheers,

Joe

On Thu, Jul 8, 2021 at 9:36 AM Oleg Pekar <oleg.pekar.2017@gmail.com> wrote:

>
>
> On Thu, Jul 8, 2021 at 8:31 AM Mohit Sethi M <mohit.m.sethi@ericsson.com>
> wrote:
>
>> Hi Oleg, Joe, all,
>> On 7/8/21 8:06 AM, Joseph Salowey wrote:
>>
>>
>>
>> On Tue, Jul 6, 2021 at 10:08 PM Joseph Salowey <joe@salowey.net> wrote:
>>
>>>
>>>
>>> On Mon, Jun 28, 2021 at 8:11 AM Oleg Pekar <oleg.pekar.2017@gmail.com>
>>> wrote:
>>>
>>>> I still see unclearness in Section "2.2. Identity Verification", I'm
>>>> trying to look from the implementer's perspective.
>>>>
>>>> 1) "Since EAP-TLS deployments may use more than one EAP
>>>>    server, each with a different certificate, EAP peer implementations
>>>>    SHOULD allow for the configuration of a unique trusted root (CA
>>>>    certificate) to authenticate the server certificate and one or more
>>>>    server names to match against the SubjectAltName (SAN) extension in
>>>>    the server certificate.  To simplify name matching, an EAP-TLS
>>>>    deployment can assign a name to represent an authorized EAP server
>>>>    and EAP Server certificates can include this name in the list of SANs
>>>>    for each certificate that represents an EAP-TLS server."
>>>>
>>>> --- question: Should the server name match *any* of SAN extensions in
>>>> the server certificate? If so - then suggest to say this explicitly.
>>>>
>>>>
>> [Joe] DOes adding the following sentence help?
>>
>> "If any of the configured names match any of the names in the SAN
>> extension then the name check passes."
>>
>> This makes sense. I will update the draft in github.
>>
>>
>>
>>>
>>> [Joe] yes the behavior is to match any.
>>>
>>>
>>>> 2) "If server
>>>>    name matching is not used, then peers may end up trusting servers for
>>>>    EAP authentication that are not intended to be EAP servers for the
>>>>    network."
>>>>
>>>> --- question: It looks like a warning, right? Suggest to make it more
>>>> explicit. Something like "If server name matching is not used, then it
>>>> essentially decreases the level of security of peer's authentication since
>>>> the peer may end up trusting servers for EAP authentication that are not
>>>> intended to be EAP servers for the network."
>>>>
>>>>
>>> [Joe] Thanks, I think that is better wording.
>>>
>> I find the text a little hard to parse. I am not sure how comfortable we
>> are with defining "levels" of security. Also, "peer's authentication" might
>> confuse the reader since we are talking about server name matching. I don't
>> really have a better suggestion. Perhaps something along the lines: .... it
>> essentially degrades the peer's confidence that the EAP server with which
>> it is interacting is authoritative for the given network....??
>>
> Mohit, this wording makes sense, thanks!
>
> --Mohit
>>
>>
>>>
>>>> Regards,
>>>> Oleg
>>>>
>>>> On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <joe@salowey.net> wrote:
>>>>
>>>>> This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13.
>>>>> Please review the draft, focus on the changes since the last WGLC and
>>>>> submit your comments to the list by July 8, 2021.
>>>>>
>>>>> The IETF datatracker status page for this draft is:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/
>>>>>
>>>>> There is also an htmlized version available at:
>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17
>>>>>
>>>>> A diff from the previous WGLC version (-15):
>>>>>
>>>>> https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15
>>>>>
>>>>> A diff from the previous version is available at:
>>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Joe
>>>>> _______________________________________________
>>>>> Emu mailing list
>>>>> Emu@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/emu
>>>>>
>>>>
>> _______________________________________________
>> Emu mailing listEmu@ietf.orghttps://www.ietf.org/mailman/listinfo/emu
>>
>>