IETF Logo Mail Archive

[Emu] draft-ietf-emu-eaptlscert-04

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 10 June 2020 09:02 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 572BC3A07B6 for <emu@ietfa.amsl.com>; Wed, 10 Jun 2020 02:02:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=qKd1MTlf; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=qKd1MTlf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h20Q3E3OQktm for <emu@ietfa.amsl.com>; Wed, 10 Jun 2020 02:02:40 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2070.outbound.protection.outlook.com [40.107.20.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EA143A07B1 for <emu@ietf.org>; Wed, 10 Jun 2020 02:02:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cz2ldns9q66ogwwtpGEjEIOySufG73gIFINsOVMGKMU=; b=qKd1MTlf6OnsOZAH8dYNcEckrUp5WSkiDRUyUBuih7IxNaW/mI7U5W1Ul/OREuErU3D8bGjW0DR6hxDCCo4JywU0e4qUY0chSfCRkTkcGKD+LDv0RfP3XRtdH/Hhj0G8QBW8R9VP6vVcIso95WyZcRclhAfRWT4vqxjspBgu0H8=
Received: from AM6P194CA0083.EURP194.PROD.OUTLOOK.COM (2603:10a6:209:8f::24) by VI1PR08MB5325.eurprd08.prod.outlook.com (2603:10a6:803:13e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.22; Wed, 10 Jun 2020 09:02:37 +0000
Received: from AM5EUR03FT053.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:8f:cafe::18) by AM6P194CA0083.outlook.office365.com (2603:10a6:209:8f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Wed, 10 Jun 2020 09:02:36 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT053.mail.protection.outlook.com (10.152.16.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Wed, 10 Jun 2020 09:02:36 +0000
Received: ("Tessian outbound 4f5776643448:v59"); Wed, 10 Jun 2020 09:02:36 +0000
X-CR-MTA-TID: 64aa7808
Received: from e0d2c30b9a06.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8E7C2363-FE61-4424-9B07-B1C9229F278E.1; Wed, 10 Jun 2020 09:02:31 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e0d2c30b9a06.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 10 Jun 2020 09:02:31 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T8Iq/mAK4UjCD52swmWGvnwj8U0AiQ4k/DyilxFPNBRJW1gaPAJwxbS2qCsGXplfp05vu8yi6ep4qHN/v7cEtl944AXWsUSdCWh+XeSfiARrj74YDcs8RuffV9PsAxglyJJNkijv05QyEYpvT1JstmeX7ZRZayTuu+/R1D4gxGRHyB9CEcT0bIedA9eBriHfSCEX1hRKiBwAX5BqPOL/0+WeFSW2gMbQGi4QxHFXLERx/0P4wWjDIOe9wKY4iY9sL7c0Xehv039fqsEbVpb2A9W24rjprk2w8yJd3UCf9FxKXUBguceRHjTRJQYv6T8kEbryATF4P3j4AIYtfYVbTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cz2ldns9q66ogwwtpGEjEIOySufG73gIFINsOVMGKMU=; b=jZg+kkyRzU8TtCCDd6o0tbZalEoLnpH3xamgBBhI3Wd1Cap9d0m0AVcLIwS4/AOdRUtaoHTSx3Hx8D/eHeMrIvznVqtSYPbiX0NZpiNqlKt8cGzK06iXZiOXOUygLcZqTrDfT55nCEVaSmNPoIntpGHEbECKWRGRkHpOj6Y8ns/o9wv41YiBZM3yUxNJYHOhfMej9QFgchJcsDU41SwMxQu2HMZdJspLHWaEHpTwe1ScjyppHCnbOjbjne5l9+VoMEIj7mE0ijQB7O1Oywjgg2YWGH6+T0YcoW3Q1pi4AqiP5Q7T2DcwFz/KzjKWCQbTJRtAVPNldwi3xHSJYqS73Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Cz2ldns9q66ogwwtpGEjEIOySufG73gIFINsOVMGKMU=; b=qKd1MTlf6OnsOZAH8dYNcEckrUp5WSkiDRUyUBuih7IxNaW/mI7U5W1Ul/OREuErU3D8bGjW0DR6hxDCCo4JywU0e4qUY0chSfCRkTkcGKD+LDv0RfP3XRtdH/Hhj0G8QBW8R9VP6vVcIso95WyZcRclhAfRWT4vqxjspBgu0H8=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB3796.eurprd08.prod.outlook.com (2603:10a6:208:100::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.21; Wed, 10 Jun 2020 09:02:28 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3066.023; Wed, 10 Jun 2020 09:02:27 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: draft-ietf-emu-eaptlscert-04
Thread-Index: AdY/A+a7cI/+21ekRcieJ5sNz2jGnw==
Date: Wed, 10 Jun 2020 09:02:27 +0000
Message-ID: <AM0PR08MB3716E7DA898FADADBA1A6AAAFA830@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: ec8ee5e8-508e-4e80-83c1-6685a7dde9f5.0
x-checkrecipientchecked: true
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [156.67.194.193]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 0bd83c03-6acd-4db6-2cd5-08d80d1d0566
x-ms-traffictypediagnostic: AM0PR08MB3796:|VI1PR08MB5325:
X-Microsoft-Antispam-PRVS: <VI1PR08MB5325F442D08197CA0AEE3D79FA830@VI1PR08MB5325.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0430FA5CB7
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: AXPyHdDViDYnUaEOVdZNDqOytuwYfPfXavRQmViFDlMHsws34h/ccj64euoRKuctYs9TCmnPUTeT+imvZjXzyStFElaMxFEhTdNsdc9goDlrelhTyHi1/dlBDr3d5CA/Hg0GsVJrxpJQcQ/FEQ5xZVSV6iLlKm3Zj4QvEk4yWEuDjhA6uQW78zCuehMZH1T98QdmX27Sfy/N67VdFluMfb0bu+ZX8oH/3BxN4PYpY/JzUH+aPI5Y39cxYcY3g6nc3pM8niICPTInDUwd21zTmoqIZLd6ucoyoO6Rrcxtitrap7lIoi9LIIZaNh3z2wF27ZO2fV1xjkszZeN2bUiqMYBoLkz+FOhk0+yobMFI+BWw0MNdTO6hRGYnD0mG/8ZyoLhvMGUrxSI8N9ODzYmikA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(376002)(346002)(39860400002)(136003)(396003)(83380400001)(8936002)(52536014)(5660300002)(8676002)(55016002)(9686003)(66946007)(71200400001)(66556008)(66476007)(2906002)(64756008)(316002)(66446008)(33656002)(26005)(86362001)(6916009)(186003)(478600001)(6506007)(76116006)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 5y6lkWVIn297BKYoT4zO9IR37yvsGtQ1zxPiGlEMmnynC7dkm1obqvcwZhKP5WOdCfoxGO1bBIBeVuB0tlHZfKixKecvg71rs4KuVrT6m94xg2VJog+nKSyq38o71XMvlXzG7sULzImPRltkWv9R0dLTpqMRtewZdY2TX6H5twCoW+cU9K8llS0L+8mKx9hAUTcVuYgaDnUUsbV1vjnZFSy/3tOi7cSjQgXBmTJez25cOYnTYEJ062DA5T5gf8llzDfLPrY7YwMe2NFKCcDfy5bOMpdEpb8CudwuX4639vSfo3KLFwZpSFug4tq0EpLZI2CEFXs+jF8jgY7lh+6Uyl8HQOeCovrUm3a/KuUcqm9Tv3Vu86yMsD0QQIrTSJZwFG2vDpk7kMMpV/hj0PSvGQtPHMHt1nUSDoW1uhTEO6+UJf0vzJK3Y8aXWE7tSapxvfX93pFTfgmVOXQu+jwhJaxHxkkN8qdS7KZ8gNLoTlvq1g4QhyOufcb80QT+RrWn
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3796
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(39860400002)(346002)(376002)(46966005)(316002)(8936002)(5660300002)(336012)(83380400001)(478600001)(81166007)(47076004)(186003)(36906005)(2906002)(82740400003)(55016002)(9686003)(70586007)(52536014)(356005)(6506007)(7696005)(82310400002)(86362001)(70206006)(26005)(6916009)(33656002)(8676002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: fe251072-1a25-4709-0fa4-08d80d1d0016
X-Forefront-PRVS: 0430FA5CB7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OSRj4TlVfOE/Swlcxp206eFYITxORO6PZlpX7B8W9+vWiaBF+tIaz1uX2PVsuqkK0H0OYoNviz1lUQe99hXDZhdYvpS3Zf59DEjDzaNqb4Bu7sAGdilgf8pVSt6W4zUKiLckV6OlDZ+zyOUl6gW2SzkzY7dp9TPwHkJYQ5FiH53Xd2Zj1sDHDzBcqGbJ6S7+bXHEz+5gF5np+RZua/CpxaxplYdlxLNQfNFw51y/uCXUVzw8iHCV3bzTD/Td9ohC9ypUDCnWsojOCZtVychQSObA+vFDWjlJdedMLP39LIyVV8MjWJ5sCSbtUt/lgm683O1c7h7wUJYgC+58MGzC2yG8S/TOLxWri/itHbZMhdpcnJRbCgclCu9OkxvwJjEHD6O7/I8U9qsM0T4nDYO1gQ7QUBJ/w4SQ4i9rb9qcqhlo6OAqgOQc92WmvoZ7Rv40/f2GInRawisqFP0K5c2Dzu22jIHrbLFvJT2UW+KVwAA=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2020 09:02:36.8160 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bd83c03-6acd-4db6-2cd5-08d80d1d0566
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5325
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/mCXAFskhX_Hccp3HLYvcViRt9mg>
Subject: [Emu] draft-ietf-emu-eaptlscert-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2020 09:02:42 -0000

Thanks for the update.

A few more minor comments on -04:

Section 4.1:

"TLS 1.3 [https://tools.ietf.org/html/rfc8446] requires implementations to support ECC."

This is only true absent an application profile defining something else.
The UTA group has just adopted a WG item that defines such a profile.

Hence, I suggest to add the remark about the profile. Something like

"In the absence of an application profile standard specifying
otherwise, a TLS 1.3-compliant application must support ECC."

4.2.  Updating TLS and EAP-TLS Code

Why are you calling the section "updating code"? The suggestion in 4.2.1 does not require code update and whether something requires a code update depends what you have in the code already. Maybe you just need to enable the feature.  Updating the code is also a negative aspect because you are likely going to update the code on a regular basis anyway to fix bugs and to support new algorithms. Luckily TLS has the extension negotiation built-in and hence you can detect and negotiate new features on the fly.

4.2.4.  Caching Certificates

"The extension however necessitates a successful full handshake before any caching."

This is not true. The spec defines a way to populate the cache by running a full handshake.
However, you could also populate the cache by out-of-band means, for example by pre-distributing certs.

The mechanism to re-run the handshake to populate the cache is, however, a safe fallback in case configuration changes and the pre-distributed certs become invalid. It is better to have a fallback.

I thought I made that comment before.

4.2.3.  Compact TLS 1.3

You are still stating "This naturally means that cTLS is not interoperable with previous versions of the TLS protocol."

cTLS is a compression of TLS, which means that you can fall-back to TLS, if the other peer does not support cTLS. As mentioned in my previous email, I don't understand why you are mentioning this aspect at all given that this document is about certificate size reduction.

Raw Public Keys

I wonder whether you should mention the possibility to use RPKs (https://tools.ietf.org/html/rfc7250) in Section 4.1.2 because those would be a fairly obvious choice in EAP-TLS given that we are talking about a nailed up connection between the EAP peer and the EAP server. This would obviously reduce the overhead associated with certificates considerably.

Ciao
Hannes


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email