IETF Logo Mail Archive

[Emu] FW: Comment on draft-thomson-tls-sic-00

John Mattsson <john.mattsson@ericsson.com> Fri, 29 March 2019 10:50 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD32912027D for <emu@ietfa.amsl.com>; Fri, 29 Mar 2019 03:50:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EDR-u_ysllV for <emu@ietfa.amsl.com>; Fri, 29 Mar 2019 03:50:34 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40089.outbound.protection.outlook.com [40.107.4.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835CF120165 for <emu@ietf.org>; Fri, 29 Mar 2019 03:50:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YWHpWBDWmhzI7lKgUaK3ON1X4rVCJftB+juv25Zj3bw=; b=aXvfprIhNYps5Duiy+emy4qPM6r97NfwPA2QoS4mHF8vMW5lzEJiKuKbsL8QIKz8DNDRQNRfAF5Gw9yI7CEz8KEPByIweWxHI0dlh5U2lpBNCyHZjhtU2V+SrdyGyLp6xZzAWh9bZzAJ83vVQVZ+SzLoOKuwyBbHonH9zhUq9Bk=
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com (20.176.6.24) by VI1PR07MB5837.eurprd07.prod.outlook.com (20.178.122.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.6; Fri, 29 Mar 2019 10:50:30 +0000
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::5424:92d0:ef7:e047]) by VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::5424:92d0:ef7:e047%5]) with mapi id 15.20.1750.014; Fri, 29 Mar 2019 10:50:30 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: 'EMU WG' <emu@ietf.org>
Thread-Topic: Comment on draft-thomson-tls-sic-00
Thread-Index: AQHU5hHk9r1yI3Oidk+mAiqUq9JKM6YierSAgAAEXwA=
Date: Fri, 29 Mar 2019 10:50:30 +0000
Message-ID: <B43043C3-769C-4A2B-90F6-573BE7399C08@ericsson.com>
References: <AC987170-3F9F-4682-B49B-872B9028692F@ericsson.com> <745ED9FE-9C31-4687-BD64-836155A28AEC@ericsson.com>
In-Reply-To: <745ED9FE-9C31-4687-BD64-836155A28AEC@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
x-originating-ip: [2001:67c:370:128:7c96:4baf:7492:e0ae]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8d02a395-e5db-4a99-39f0-08d6b4345cc8
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB5837;
x-ms-traffictypediagnostic: VI1PR07MB5837:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <VI1PR07MB58373FB4B6088CCB4A9EA78F895A0@VI1PR07MB5837.eurprd07.prod.outlook.com>
x-forefront-prvs: 0991CAB7B3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(396003)(366004)(39860400002)(51444003)(13464003)(189003)(199004)(11346002)(86362001)(106356001)(8676002)(105586002)(478600001)(256004)(99286004)(14444005)(53936002)(966005)(6306002)(6512007)(7736002)(71190400001)(83716004)(6506007)(53546011)(305945005)(6436002)(2473003)(102836004)(14454004)(25786009)(6346003)(6486002)(82746002)(46003)(229853002)(36756003)(71200400001)(186003)(486006)(6116002)(44832011)(8936002)(76176011)(97736004)(5660300002)(81156014)(81166006)(2906002)(316002)(476003)(446003)(33656002)(68736007)(58126008)(6916009)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5837; H:VI1PR07MB4175.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: KTSvlpxwk/H8eCG2Z1nR6P5YptTCDuioWZU4FJ+ZSD6/jX5IIjTGd3h2QUuRtOHt+7rbvFajthEGeSto/gEh2JnR9ET+i9+5S4o17tjO8NZ9l5vQ6q4sRweLZ07FBA+mVIKBbHTB6JiisXA6UUqbqQjMMmvw24y9Lmp+WK0TL6QGKDATZevqdqHbUlOk+Kf+uFGiw6l9+SeJULzfNexDFNh7tPn7j/Wm8dYVu8rgpFneIoXCUio1uM0xqhhdcv0W917l5bb74JLt5hspc8myqlP2OF3krf1JogYsl/oEo7+y/es5C7FQAJIT3XFu7znclRCC9ddu1gngg/g+TzSGlJDMv2R1JZ++Z5a90BkZNoUUiia7EQEQf3j5oG07vMpk3r5pht68ec83FwTQieFuwYrMIqgoDVXpKhG9vTxo2HY=
Content-Type: text/plain; charset="utf-8"
Content-ID: <43FE378BF6D5D7438B399A2FBF689EA7@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8d02a395-e5db-4a99-39f0-08d6b4345cc8
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 10:50:30.6458 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5837
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ZRJVNr3HllrMxQmk4HT7Nn6-esc>
Subject: [Emu] FW: Comment on draft-thomson-tls-sic-00
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 10:50:41 -0000

I think draft-thomson-tls-sic-00 solves all the problems that the EMU wg have identified. The draft only works with EAP-TLS 1.3 but I think that is fine. Any implementation willing to update the TLS code, should update to TLS 1.3. I agree with Martin Thompson that the TLS WG should not spend time on TLS 1.2.

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Friday, 29 March 2019 at 11:34
To: "TLS@ietf.org" <TLS@ietf.org>
Subject: Re: Comment on draft-thomson-tls-sic-00

    Some more comments after reading the draft in detail.
    
    - The abstract and introduction only talks about the ClientHello use case. Should shortly mention the CertificateRequest use case as well.
    
    - I notice that the draft does not have any requirement on how the client gets access to the intermediary certificates. I think this is the right approach.
    
    The problem discussed in EMU is that that many access points drops EAP connections after 40 - 50 packets and that EAP-TLS connections with large certificate chains may therefore be unable to complete.
    
    One approach discussed in EMU is that the client could take intermediate certificates from an earlier EAP-TLS connection that was dropped by the access point. This drafts currently allows that. I think that is correct. I cannot see that the distribution of intermediary certificates need any security requirements as the client can verify them with the help of one of its trust anchors.
    
    Cheers,
    John
    
    -----Original Message-----
    From: John Mattsson <john.mattsson@ericsson.com>
    Date: Friday, 29 March 2019 at 10:29
    To: "TLS@ietf.org" <TLS@ietf.org>
    Subject: Comment on draft-thomson-tls-sic-00
    
        Hi,
        
        I am strongly supporting of solving the problem this draft is trying to solve. This is a problem that the EMU WG has identified and discussed in the past.
        
        https://tools.ietf.org/html/draft-ms-emu-eaptlscert-02
        
        I will add text discussing draft-thomson-tls-sic-00 to draft-ms-emu-eaptlscert-03 and ask for agenda time in EMU at IETF 105 to discuss if draft-thomson-tls-sic-00 solves the problems of the EMU WG.
        
        The EMU WG actually shortly discussed this Monday if the WG thought there was any updates to TLS that needed to be driven in the TLS WG.
        
        Cheers,
        John

v2.23.0 | Report a Bug | By Email