Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Tue, 05 January 2021 05:50 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6C93A1031; Mon, 4 Jan 2021 21:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CvOLtIcTtXIQ; Mon, 4 Jan 2021 21:50:38 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761D53A102E; Mon, 4 Jan 2021 21:50:36 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1055oRHg009839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Jan 2021 00:50:31 -0500
Date: Mon, 04 Jan 2021 21:50:26 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, "emu@ietf.org" <emu@ietf.org>, Joseph Salowey <joe@salowey.net>
Message-ID: <20210105055026.GR93151@kduck.mit.edu>
References: <160815821055.25925.15897627611548078426@ietfa.amsl.com> <6019f95d-b38f-443d-4ca9-977d5bb50e6a@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <6019f95d-b38f-443d-4ca9-977d5bb50e6a@ericsson.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/O0E0hMLuSI2OYVBKyD1hCKcNjeM>
Subject: Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 05:50:41 -0000
On Fri, Jan 01, 2021 at 05:03:45PM +0000, Mohit Sethi M wrote: > Hi Ben, > > Thanks for the usual detailed feedback. I haven't yet addressed all the > comments in your COMMENT section. Below, I copy the comments which have > now been addressed in github: > https://github.com/emu-wg/draft-ietf-emu-eap-tls13/commit/901a28578c65b8b483eecf6394cfc218b3d02f2b > > > Using BCP195 as the slug is probably preferred, since any RFCs > > associated with the BCP are going to be relevant and topical > Done! I think. Not sure if this is the right way to do it : <xref > target="RFC7525">BCP 195</xref>? The RFC Editor will help out on this one. > > Section 5.9 > > > > Pervasive monitoring refers to widespread surveillance of users. In > > the context EAP-TLS, pervasive monitoring attacks can target EAP-TLS > > > > nit: "context of" > Fixed. Also reported by Erik Kline! > > > static RSA based cipher suites without privacy. This implies that an > > EAP-TLS peer SHOULD NOT continue the handshake if a TLS 1.2 EAP-TLS > > server responds to an empty certificate message with a TLS alert > > message. > > > > Just to check my understanding, this "response" would be an EAP-TLS > > response containing a new ClientHello (that would proceed to do a > > handshake including the client certificate in the unprotected initial > > handshake)? That is, it would be a response at the EAP layer but not at > > the TLS layer. > In EAP, servers send EAP-Request and peer send EAP-Response. I changed > the text somewhat. It now reads "Therefore, it is RECOMMENDED for > EAP-TLS peers to not use EAP-TLS with TLS 1.2 and static RSA based > cipher suites without privacy. This implies that an EAP-TLS peer SHOULD > NOT continue the handshake if a TLS 1.2 EAP-TLS server sends an > EAP-TLS/Request with a TLS alert message in response to an empty > certificate message from the peer." Other suggestions to improve are > welcome. Even that seems to help a lot. > > and only using the pseudo-random usernames a single time. Note that > > the privacy-friendly usernames also MUST NOT include substrings that > > can be used to relate the identity to a specific user. Similarly, > > privacy-friendly username SHOULD NOT be formed by a fixed mapping > > that stays the same across multiple different authentications. > > > > I think that violating the SHOULD NOT would intrinsically violate the > > preceding MUST NOT ... so should they both be MUST NOTs > Changed to MUST NOT. > > > Section 5.8 > > > > Tracking of users by eavesdropping on identity responses or > > certificates is a well-known problem in many EAP methods. When EAP- > > TLS is used with TLS 1.3, all certificates are encrypted, and the > > username part of the identity response is always confidentiality > > protected (e.g. using anonymous NAIs). [...] > > > > As written this applies to server certificates as well as TLS client > > certificates. For which the statement is technically true, but with the > > caveat that it is typically easy to persuade the server to (re-)send > > those same certificates encrypted to a key known to the attacker, so the > > protection provided by the encryption is limited. (The server has been > > fairly strongly authenticated by the time the EAP peer makes the > > decision to send its certificate, so there the reverse situation is > > different.) > Added a sentence to note this: "When EAP-TLS is used with TLS 1.3, all > certificates are encrypted, and the username part of the identity > response is always confidentiality protected (e.g., using anonymous > NAIs). Note that even though all certificates are encrypted, the > server's identity is only protected against passive attackers while > client's identity is protected against both passive and active > attackers. As with other EAP methods, even when privacy-friendly > identifiers or EAP tunneling is used, the domain name (i.e., the realm) > in the NAI is still typically visible." > > > Section 4.2.11, 8.1, and 8.2 of [RFC8446] provides security > > considerations for resumption. > > > > I'm curious why specifically § 8.1 and 8.2 were selected, given that §8 > > as a whole is about "0-RTT and Anti-Replay", which is a more specific > > topic than just resumption. > Updated to section 2.2 and 4.2.11 of RFC 8446. > > > Where a good decision is unclear, EAP-TLS servers SHOULD reject the > > resumption. > > > > I suggest "reject the assumption and continue with a full handshake". > Makes sense. Done! > > > If any authorization, accounting, or policy decisions were made with > > information that have changed between the initial full handshake and > > resumption, and if change may lead to a different decision, such > > decisions MUST be reevaluated. It is RECOMMENDED that authorization, > > accounting, and policy decisions are reevaluated based on the > > information given in the resumption. [...] > > > > I'm not sure I understand how these two sentences fit together. Is it > > trying to say that "if there could be a different decision, you > > definitly have to re-check, and we recommend just always re-checking > > since that's timpler"? > Yes. > > > Section 5.7 > > > > and the authorizations of the other party may have been reduced. If > > the cached revocation is not sufficiently current, the EAP-TLS peer > > or EAP-TLS server MAY force a full TLS handshake. > > > > nit: s/cached revocation/cached revocation data/ > > > > in the certificate chain has been revoked or has expired. In all > > such cases, resumption results in a full TLS handshake instead. > > > > nit: s/resumption results/an attempt at resumption results/ (or similar) > Fixed. > > > Section 5.5 > > > > It seems like there may be some scope for improvements on the RFC 5216 > > behavior here. For example, what if we used the EAP Type field as the > > TLS Exporter 'context' argument, instead of the literal 0x0D? That > > seems like it would prevent the modification from successfully causing a > > different TLS-based EAP method to be used, by using a different > > key-derivation formula, exactly as postulated by RFC 5126. > 0x0D is the EAP type for EAP-TLS: > https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4 > > > To enable revocation checking in situations where EAP-TLS peers do > > not implement or use OCSP stapling, and where network connectivity is > > not available prior to authentication completion, EAP--TLS peer > > implementations MUST also support checking for certificate revocation > > after authentication completes and network connectivity is available, > > and they SHOULD utilize this capability by default. > > > > If it's RECOMMENDED to use OCSP stapling, what does it mean that they > > "SHOULD utilize this capability by default" (as well)? > > > > (Also, nit: only one '-' in EAP-TLS.) > Fixed the nit. This text was based on RFC 5216 which says " MUST also > support checking for certificate revocation after authentication > completes and network connectivity is available, and they SHOULD utilize > this capability by default.". I have now tried to reformulate as "To > enable revocation checking in situations where EAP-TLS peers do not > implement or use OCSP stapling, and where network connectivity is not > available prior to authentication completion, EAP-TLS peer > implementations MUST also support checking for certificate revocation > after authentication completes and network connectivity is available, > and peers SHOULD utilize this in the absence of other revocation > checking mechanisms.". Other suggestions are welcome. Ah, that makes more sense than my initial "as well" reaction. Thanks! > > TLS, see Section 4.4.2.1 of [RFC8446]. In TLS 1.3 the OCSP > > information is carried in the CertificateEntry containing the > > associated certificate instead of a separate CertificateStatus > > message as in [RFC4366]. This enables sending OCSP information for > > > > RFC 4366 seems like a stale (obsolete) reference, and RFC 6066 should be > > preferred. (RFC 4366 would then become an unused reference, I believe.) > Thanks. Fixed. > > > [3] Key strength: TLS 1.3 forbids all algorithms with known > > weaknesses including 3DES, CBC mode, RC4, SHA-1, and MD5. TLS 1.3 > > > > Where does RFC 8446 forbid 3DES? CBC is forbidden by the requirement to > > be AEAD, and RC4 and MD5 are explicitly forbidden, but the situation for > > SHA-1 is more subtle. Please reword this sentence to be accurate. > Updated to: "TLS 1.3 forbids algorithms such as RC4 and MD5 which have > known weaknesses." > > > Section 5.1 > > > > [2] Confidentiality: The TLS 1.3 handshake offers much better > > confidentiality than earlier versions of TLS by mandating cipher > > suites with confidentiality and encrypting certificates and some of > > the extensions, see [RFC8446]. When using EAP-TLS with TLS 1.3, the > > > > I note that there exist codepoints for TLS 1.3 ciphersuites that do not > > provide confidentiality protection. Please point to the part of RFC > > 8446 that mandates this behavior. > The text now says "The TLS 1.3 handshake offers much better > confidentiality than earlier versions of TLS. The mandatory to implement > cipher suites of [RFC8446] ensure confidentiality. TLS 1.3 also encrypts > certificates and some of the extensions. When using EAP-TLS with TLS > 1.3, the use of privacy is mandatory and does not cause any additional > round-trips." > > > username in cleartext in the Identity Response. Following [RFC7542], > > it is RECOMMENDED to omit the username (i.e. the NAI is @realm), but > > other constructions such as a fixed username (e.g. anonymous@realm) > > or an encrypted username (e.g. YmVuZGVy@realm) are allowed. Note > > > > (I note that YmVuZGVy is just base64("bender"); does that really count > > as "encrypted"?) > Updated to xCZINCPTK5+7y81CrSYbPg+RKPE3OTrYLn4AQc4AC2U=@realm. Much more random :) Thanks, the rest of this all sounds good. -Ben > > Section 2.1.6 > > > > the handshake. One use case is if the EAP-TLS server does not > > support the groups in the "key_share" extension, but supports one of > > > > I'd consider adding a parenthetical "(or there is no "key_share" > > extension)". > Done. > > --Mohit >
- [Emu] Benjamin Kaduk's Discuss on draft-ietf-emu-… Benjamin Kaduk via Datatracker
- [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Alan DeKok
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Emu] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Salz, Rich
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Michael Richardson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Dan Harkins
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Michael Richardson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- [Emu] Fwd: [TLS] Fwd: Benjamin Kaduk's Discuss on… Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … John Mattsson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Peter Gutmann
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Salz, Rich
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … John Mattsson
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on … John Mattsson