IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Eliot Lear <lear@cisco.com> Fri, 01 November 2019 11:54 UTC

Return-Path: <lear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862E6120838; Fri, 1 Nov 2019 04:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJQW_uYY3Kii; Fri, 1 Nov 2019 04:54:04 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7A03120834; Fri, 1 Nov 2019 04:54:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8986; q=dns/txt; s=iport; t=1572609244; x=1573818844; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=sWFj0hvAJmkfLOXMsykb5QkNGV/uDaKF/2zlx7Alm2Y=; b=JpJXO3QiMABIP+jr/x22dkUDojg2W9sUdD6/VnvqK2ckspvLsjpDa/ja sJ4npqgUXKHsN5StnuFftJCBWo3pkovMZZREGmVO2c4q7uasClJhTggD3 Z3o2SwR7j/LtDPX23pInB7+IjSvcndtxbVPfvsPnn/K2AS0mL1zt8JmCI c=;
X-Files: signature.asc : 488
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BfAAB8G7xd/xbLJq1cCRkBAQEBAQEBAQEBAQEBAQEBAREBAQEBAQEBAQEBAYF9g2EgEiqEKIkDiBmTGoYjgWcCBwEBAQkDAQEvAQGEQAKEHzgTAgMBAwIDAQEEAQEBAgEFBG2FQ4VRAQEBAQIBI1YFCwsYKgICVwYTgyIBglcgsQR1gTKFToR1EIE2gVOKVoF/gREnH4JMPoQSAQgKAQkGgyAygiwElVlhiDSPBIIugjOBE5FvG4I8h1qECocOhDeQAJR9gxcCBAYFAhWBaSJncTMaCBsVZQGCQT4SEBSRTUADMIw8gjABAQ
X-IronPort-AV: E=Sophos;i="5.68,254,1569283200"; d="asc'?scan'208,217";a="18628372"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Nov 2019 11:54:01 +0000
Received: from [10.61.230.56] ([10.61.230.56]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id xA1Bs0Lk005048 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Nov 2019 11:54:01 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <257044BF-5F82-4A08-861B-71F58100981C@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_B08BFD61-8099-493E-81BE-43F0145CB87F"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 01 Nov 2019 12:53:59 +0100
In-Reply-To: <3D27AB0E-508E-479D-81A5-42566F166647@deployingradius.com>
Cc: John Mattsson <john.mattsson@ericsson.com>, Joseph Salowey <joe@salowey.net>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr@sandelman.ca>, EMU WG <emu@ietf.org>
To: Alan DeKok <aland@deployingradius.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com> <575D1FD8-9C81-4DA7-B542-71B6D78E7BAC@deployingradius.com> <35D3B09D-B540-4465-BA4F-8EB3C34A167B@ericsson.com> <3D27AB0E-508E-479D-81A5-42566F166647@deployingradius.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.230.56, [10.61.230.56]
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ZZIZK09K6iZW4Qzhl8OU0tCqQTY>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 11:54:06 -0000

Thanks, Alan.  Please see below.

> On 1 Nov 2019, at 12:08, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Nov 1, 2019, at 6:15 AM, John Mattsson <john.mattsson@ericsson.com> wrote:
>> I strongly support working group adoption of draft-dekok-emu-tls-eap-types. Can we make sure to get this document going, I agree that this is a very needed draft. I think it should include updates for everything people wants to use. I do not think draft-ietf-emu-eap-tls13 strictly have to wait for draft-dekok-emu-tls-eap-types, but draft-dekok-emu-tls-eap-types should be published shortly after.
> 
>  I will do an update to my document shortly.
> 
>  I also added an issue with the EAP-TLS document on GitHub.  The suggestion is to add text which explains how (and why) the EAP Identity is chosen during resumption:
> 
> ---
> The EAP Identity used in resumption SHOULD be the same EAP Identity as was used during the original authentication. This requirement allows EAP packets to be routable through an AAA infrastructure to the same destination as the original authentication.

Just a question: why SHOULD and not MUST?

> 
> The alternative is to derive the EAP Identity from the identity used inside of TLS. This derivation is common practice when using certificates, and works because the "common name" field in the certificate is typically compatible with EAP, and it contains a routable identifier such as an email address. This practice cannot be used for resumption, as the PSK identity may be a binary blob, and it might not contain a routable realm as suggested by RFC 7542.
> 
> In some cases, the PSK identity is derived by the underlying TLS implementation, and cannot be controlled by the EAP authenticator. These limitations make the PSK identity unsuitable for use as the EAP Identity.

Ok, so this sort of impacts the other drafts as well (NOOB and TEAP) for federated realms (we may both have this wrong).  My presumption here is that an anonymous NAI is always used, but that the realm is what people would key off of, and this would always be present.  But that presumption doesn’t hold true with the current TEAP update that we’re working on and that may be problematic.  In any case, this means that that at least the externalized identity can be used to route, and that normal TLS semantics can be used for authenticating.  It does require that tickets be managed on both ends.

My presumption is further that federation doesn’t really occur beyond the TLS endpoint, of it it does that is entirely an internal matter for the server.  We have a working example of callouts based on the identity of a client for purposes of authorization, but for authentication, I would think that would be largely a bad idea, due to secret sharing issues (when I say “federation” I mean that there should be no trust TLS secret sharing).

Is my understanding correct?

Eliot


> ---
> 
>  Alan DeKok.
>

v2.23.0 | Report a Bug | By Email