Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Alan DeKok <aland@deployingradius.com> Thu, 12 September 2019 13:56 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 424521200EC; Thu, 12 Sep 2019 06:56:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZeicYRp48Q0p; Thu, 12 Sep 2019 06:56:14 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 034D8120041; Thu, 12 Sep 2019 06:56:14 -0700 (PDT)
Received: from [192.168.20.47] (ottawa.ca.networkradius.com [72.137.155.194]) by mail.networkradius.com (Postfix) with ESMTPSA id 07AE9BB; Thu, 12 Sep 2019 13:56:11 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <20b118932a4843b6b88e605799fafea8@aalto.fi>
Date: Thu, 12 Sep 2019 09:56:10 -0400
Cc: EMU WG <emu@ietf.org>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi>
To: Aura Tuomas <tuomas.aura@aalto.fi>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/PP53b0W47TUf7p4rgcQu7CvVRIw>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 13:56:17 -0000

On Sep 12, 2019, at 9:53 AM, Aura Tuomas <tuomas.aura@aalto.fi> wrote:
> 
> I was looking at the EAP-TLS with TLS 1.3 draft and noticed that it forbids PSK authentication. Why is that?

  See Section 2.1.2.  TLS 1.3 uses PSK for resumption.  As a result, we *cannot* use PSK for authentication in EAP-TLS.

> While there is the EAP-PSK method, I would much rather use EAP-TLS with PSK because it provides identity protection and perfect forward secrecy, unlike EAP-PSK. 

  Use EAP-PWD for that.

> In fact, I think EAP-TLS with PSK should become the standard authentication method for networks that rely on shared secrets, e.g. WPA-Personal. Unifying the Wi-Fi authentication around EAP would greatly simplify the Wi-Fi protocol stack. Not that I expect it to happen immediately, but we should not close sensible paths forward.

  The time to fix that was before TLS 1.3 was standardized.

  Alan DeKok.