IETF Logo Mail Archive

Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt

Jan-Frederik Rieckers <rieckers@dfn.de> Mon, 04 March 2024 16:29 UTC

Return-Path: <rieckers@dfn.de>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE8DC15108E for <emu@ietfa.amsl.com>; Mon, 4 Mar 2024 08:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EuylgVG_GMuA for <emu@ietfa.amsl.com>; Mon, 4 Mar 2024 08:29:16 -0800 (PST)
Received: from a1004.mx.srv.dfn.de (a1004.mx.srv.dfn.de [IPv6:2001:638:d:c301:acdc:1979:2:58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 659C9C14CE30 for <emu@ietf.org>; Mon, 4 Mar 2024 08:29:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :references:content-language:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1709569750; x=1711384151; bh=FiDAMSvskTCaNdDyDEZhgjz2FXnrpfcqhK3P3zhNmZ8=; b= ZrrQ42+6SZMT5/k5/7JWHKdEZxS66ebyNUdhdN40Uassbd7GW91iuuPGKjvV58QC 92alaYmjvfm9quQl7KkxqY5xBAVn2cgLIMBHfH2kyvC4YSh3y8Zi1zaZyDAp2krj yGLB2cSuYOGb3KqHX81TKhK+ZwwBn66qQyapcmHsiN0=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by a1004.mx.srv.dfn.de (Postfix) with ESMTPS id AC16E2000D9 for <emu@ietf.org>; Mon, 4 Mar 2024 17:29:10 +0100 (CET)
Received: from [IPV6:2a02:8106:57:952a:c8a6:5f15:1740:f30c] (unknown [IPv6:2a02:8106:57:952a:c8a6:5f15:1740:f30c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 733793D6 for <emu@ietf.org>; Mon, 4 Mar 2024 17:29:10 +0100 (CET)
Message-ID: <7bfb8c2a-2bb3-486f-b6f1-e64b91932fd1@dfn.de>
Date: Mon, 04 Mar 2024 17:28:59 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: emu@ietf.org
References: <170932527085.22824.18343512124707075119@ietfa.amsl.com> <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de> <19d725e9-586d-4f37-855a-dca2c5c04998@app.fastmail.com>
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Organization: DFN e.V.
In-Reply-To: <19d725e9-586d-4f37-855a-dca2c5c04998@app.fastmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms010409010108070900040107"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/TKuGOYH8vp5mFqRYlmVLqGD02PY>
Subject: Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 16:29:21 -0000

Hi, here the answer to the questions regarding PKIDs:


On 04.03.24 11:06, Alexander Clouter wrote:
> Why not just *always* send the list of PKIDs? How is this list formed by a server *before* it  knows the user identity? Is a possible that the anon identify from Phase 1 is enough to perform this?

The list is formed by the server AFTER querying for the user's identity.

Taking a step back:
For the FIDO authentication, we have two authentication options:

(I always use "PKID" in this mail, the FIDO terminology uses "Credential 
ID" and "Public Key Credential source", but for the server, both are 
just arbitrary strings that uniquely identify a public key, I still have 
to read the FIDO specs in full to decide which of these terms I should 
use in the final document)


Option 1: Discoverable Credentials.

The client knows the RelyingParty ID and has a credential stored for 
that RPID. It can simply sign the request, and includes both the 
signature and the PKID used for the signature in the answer.
The server recognizes the user by the PKID the client sends, and can 
look up the public key for that particular PKID and then verify the 
signature.



Option 2: Server-Side Credentials.

The client knows the RelyingParty ID, but has no discoverable 
credentials, so it needs additional information. The client sends its 
username to the server, and only now the server has enough information 
to compile the list of PKIDs.

This is just a simple "SELECT PKID from USER_DB where USER='<username>'"
The server simply looks up all PKIDs that is has stored for this user.

(Theoretically, the server could compile this list earlier if the client 
sent its real identity in the anonymous identity, but we shouldn't even 
make that a possibility, some vendor will think "hey, that's a great 
idea, let's ignore that this is supposed to be an ANONYMOUS identity and 
fill in our real identity". (Just a random thought, not that this 
happened before)

The PKIDs are the "containers" with which the FIDO Authenticator can 
reconstruct the private key that was generated during registration and 
can sign the request with that private key.

Since every PKID is bound to one specific FIDO Authenticator and with 
non-discoverable credentials, the Authenticator does not store state 
locally, there is no way of determining the PKID in any other way than 
having the server send a list over.


I hope that made it clearer.


As you asked for some resources (not sure whether they are suitable as 
bedtime-stories though *grin* )

https://www.w3.org/TR/webauthn/ has a lot of good definitions and 
descriptions on how certain things work, I'd suggest looking at these 
terms specifically:
* "Credential ID"
* "Discoverable Credential"
* "Server-side Credential"


> 
> I am trying to reconcile these two descriptions and the closest I can get is it seems in practice PKIDs can only be offered by the server after seeing the identity?
> 
> By introducing EAP Identity an implementer would be more easily able to proxy the inner FIDO authentication but the downside of this is it would bring in an extra round trip as the server still has to send after the EAP Identity response "now do FIDO" and the client cannot initiate this.
> 
> On a related note, as a passing thought though I am not sure how this could work, opportunistically could the client make use of the SubjectAltName from the outer TLS jacket of Phase 1 to infer a suitable PKID and avoid needing to make an 'information' round trip? If the server side thinks the peer has picked incorrectly, that is when it responses with the list of PKIDs as it now also knows the peer's identity.

Cheers,

Janfred

-- 
Herr Jan-Frederik Rieckers
Security, Trust & Identity Services

E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370
Pronomen: er/sein | Pronouns: he/him
__________________________________________________________________________________

DFN - Deutsches Forschungsnetz | German National Research and Education 
Network
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1 | 10178 Berlin
https://www.dfn.de

Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | 
Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729B | USt.-ID. DE 136623822

v2.23.0 | Report a Bug | By Email