Re: [Emu] Resolving EAP-TLS issues
Mohit Sethi M <mohit.m.sethi@ericsson.com> Sun, 25 April 2021 07:38 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B45BD3A0BFC for <emu@ietfa.amsl.com>; Sun, 25 Apr 2021 00:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbzETmS7Kw8N for <emu@ietfa.amsl.com>; Sun, 25 Apr 2021 00:38:33 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30074.outbound.protection.outlook.com [40.107.3.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CA003A0BF8 for <emu@ietf.org>; Sun, 25 Apr 2021 00:38:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dBPJGfBF1fpuirDmHzCcrB7Hfm/GXytNaf+hTGefd1CxwX/XEPUhW9+8og8RGhOxrb4qZ1zXUGceY3LYQnLHiJxjthBpVTLZ6PxGu/PjsxayGsgDV7UBh7TtMqFvTsJTj1epAJdXKbtlh/bVjg7CzQxMJkeMJaYiDsQeeDztnFbaic0kB3nxo6Fj0oGQNzKB9ziGnkGisP7z0Jv/SO9apRASilTRMNrJp2AoHzLyVctSaTNzywxzjrvOfUlkee3sXatD7+ihHqLboRmFoRYo22RuIb7swC0aolZd5e1NU5LCKJQ1pvYioo+f0tLTZur/wJYCZ3lrQIBWP9gWd1qImQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xx4VmXzGkAj7tt3NbTURFui/+q0PchOuYVagJsgGbk8=; b=GNy+3KDpaEYB9R1gNahOAEQDGGeXPc7/k4XH4F7R+WcagleLIz/3NoAynriS5BRMyItSnI84UCi14dgT40q4BLHqW1mvJRfbpRYggxG4ESHxF4xlMm0Qw2DMkcZ3+BdmN5DTO4YDz+WA1ZtH8i8TfPeUI7fKHpsbKBBld49FJrM8wvjZvZIi6VcaCNmN2yXsI158eedPl/R3hvkGkiTVglwa+rhMFhETzroWCL1mU1Oo6QhvBlGPvnBA+OaL8YQRMoAfopkJaW4tIEx7X7lwkZtVy0+24M7TZfF4mBZI9pvvytFEdhFFv4H8mR/EjZ0dTSik/Lj06HOwJDjLFrlzbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xx4VmXzGkAj7tt3NbTURFui/+q0PchOuYVagJsgGbk8=; b=ixR3QJU398OZ/GBOx1C8swVCVgFGwGNUIHBpNqLhlAsvFL7q4cbRpb+0L63X8U/5WhI5B0VgNlASx9QMiRiBfQ2RAzibY2BvW6I/KQJFw1n5S5vKbpVk0Ln1g4vbsySZcUOrMmozMIaFub/X41Bp4XVvoweFGhYo1mPY0ht+yrE=
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com (10.170.242.31) by HE1PR0701MB2937.eurprd07.prod.outlook.com (10.168.98.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.18; Sun, 25 Apr 2021 07:38:31 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::49b5:d6bd:82b5:72b4]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::49b5:d6bd:82b5:72b4%5]) with mapi id 15.20.4065.023; Sun, 25 Apr 2021 07:38:30 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Resolving EAP-TLS issues
Thread-Index: AQHXOaX7VilZjZGcH0qR35RchOCdNA==
Date: Sun, 25 Apr 2021 07:38:30 +0000
Message-ID: <6076dcd1-268b-31a4-8fdb-8101bbc9e927@ericsson.com>
References: <CAOgPGoDH=6ZZemGgSg4m4k=F=b7Wk4J6Q78ur_pmNSpOvyN2Kw@mail.gmail.com>
In-Reply-To: <CAOgPGoDH=6ZZemGgSg4m4k=F=b7Wk4J6Q78ur_pmNSpOvyN2Kw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: salowey.net; dkim=none (message not signed) header.d=none;salowey.net; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:180:45a9:98c:9469:e750:6ff0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c411f5ab-0d73-4473-4422-08d907bd1f94
x-ms-traffictypediagnostic: HE1PR0701MB2937:
x-microsoft-antispam-prvs: <HE1PR0701MB29372054E229E6EF0A2B5A88D0439@HE1PR0701MB2937.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FSddsSJSlwmxIaEGrRhwbvWvej4yUPzMroIHRGgUgMaSVRZF+y4ULct6uZGoZlB5xYhOcBLfOIVHvn1cGsYNuN6K6LgC/ob7Bg6+xJXFUxeZiAHU2+ReoHeDRbPhkDOcR9ccq+BmEu2VxE8jlyZDz9UYyerZ6paQ4U73qIxtAFPDiY3hXJ4RsHHh++CE6rpkHennC5aMqnFBpRI5O5YNhXOxb0eTTLpqWKw5k8SQIwbci43XBNm6Lfcc3pSU+pIBr7wUDIm70t7HfNnp3iv40kAUKSJFT8D2wIks/96F1DZC1qdJ1qFmA7G7aqzttLGkoPbsbRgm0UNs8j3fxQCjXaI8EW7KM4k0LNn9eM3nWMbBjYjclKz7QdUtmE2PHLY3HALejZnz4JUL6eOvDADWFTZ22Dj2Jecakx+UAH8jMxTztgh9msOTpAQ9ln31RTOmF4XJSk8tCPcm/7t9C1fIkeBHQBPzwqiCI3b4HXtmSsYE6NnbmV5zl5GfZQVRUnEKxOO71E8VPHp3cGbaJoIIbK4XG5Tg2ecS+rXkvCwhjUQhTxwAZwHwe696UTltdaL28zvgyNn7oT5qpWM1HDMNBvs16UHQba6c6JXK+Ze3SeWBYwzGsxQMALGbwZAaLxQcYtHc21VQazPXHQ2X3TY1ISi9ojHvZ9IvPlGP53sgAdZ2MZOvPEhz0SmZvsromHj7wVMhMch3pPkRNgnyCfwxNFZwQFVLHkeLLRw9qW9xGZUzddPikRolcA5ImsFcwPR8MWFxDpi6onpujU5J5Jz/+Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(346002)(376002)(6506007)(76116006)(478600001)(83380400001)(122000001)(316002)(966005)(8936002)(66946007)(66446008)(36756003)(31696002)(38100700002)(166002)(71200400001)(53546011)(66556008)(8676002)(66476007)(6486002)(64756008)(31686004)(110136005)(5660300002)(2616005)(6512007)(86362001)(186003)(2906002)(43740500002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 8CnmZAQQy1Vx41V41uxHjfxHFcm8S6/VLYscWFdlNuqHjrmtNwgCEmx7iYNPBm1g7F8BgslSvpwh8CmFIY1pPK93xmXBT5W+G8DN5cXnjznEqEBEr4Z7sV+LDKZ0oz4GmZBopNukvZX+v0PlrkQJIrV9momgguctTuFGtGAg87NEEKKuCvoa4xb/QVnedSTBJ6+XdrzB3IMd5r2B3oWJyRUdv6OHDXlRIA8Raa7FHBiVN+LJqA6WjgMvVpSwDXSqunquONSUslCDEvVnfUcFogyAXrgE4+XltbMMSR/JENPoRMGIDTAj3hz8UemHyxx84Ag0AMbxxbd9OWheC49zuwIz3utFBk/P16P/4xs8/46mRoi05JujlSskl94iHS95tUEsRl7bn/9l1TkxPRxP/99IOP8laqMvmeyOI1Lr1Oz+I0E1at0Bfr0So1D8eZs91HTZLOkpIs80qKxIYYA5OE10MvvBEYzUZDqRwSkg3sevXoK6jMwODDVprAgTg2fv7nH2MK1HQUUrKOoUp7/jxcE/S5KqOX3CGczszi/kNlSl2CaMvQjFNyU/AKYkqhEOLkPc+Tac1jYEQlvSqjJIbZ9uQXnP0ADKF5iVsKvuenNtbNWeb/YzLW9bPIgfGGtqi5lmIcP6MZI01dyuCz84Ukl+JILEbFAIFhEdKWbtInNAbzx27p38kTlJAwBJQyd5SUYWoQu8RiNeTN+V/CWMdJ9dBA693zsY0+aGnP32nxY3YPNsx3X3uxvSwXmn0O+cpGoBXwWeIrXOpXS9X6OC/GcvxJtkRlKoUsfA4mlzjqxjusYobE5yv/4hDruHHrdnHqyQQTRpxgjKjJnrKd9mVHbl535qBiMJeDO8GE8Vhu9GjHK6fewJ+jehFzNDG4sc8mKzKqyhvFiku0DW1ckFhoXubOKnIVhIQlbT/f2UgWNgEzRuxPym7zPhW+ntPe2nxFKu8hUWX3xwOOYo3jPf25xN//mj+ETlCvmDe12IPSC5rPrmt1BQ1GcE/iQBrGJ/GyENNK17XX3XF8aiekH3rPiAZWZpWz5kTT0fkNYSigEo7QKqNEc+SDp2QF1vrp22zzxlGCmffsi3xmoKn71Zzd+wIzMV/7auPJ8MGoMvO8Y4Fg/LlyPjRjTqzU7V2IlypA7IyXwUsAAqpa/RuMSyhLxHwK+VmakE0DcZvyW+R1VADHIMk0fYBriE6whd0AotTy5fkh1uzXNfbnckWdaWHjHT5tNTmZ1dhRh423kbSdj7Wi0SdJjOLidNRBVwob6204YmvDpAVhq1v97751Vunn8HqeuDdJTONXeRQ/14v+4di8xQb6V17OuiFGLvEzA7UA2Opkhw3cgGXdtpaVzDrslDVrgo/536GsvfA/AdAB0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_6076dcd1268b31a48fdb8101bbc9e927ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c411f5ab-0d73-4473-4422-08d907bd1f94
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2021 07:38:30.8360 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HAQBNuvccBunfwhTHhLWstSvbXxnDNROLIINJMPSZTBw9BDuHKK1iQr63gX7w6QOzGFvB5BkeRrKwoaCirL6cjXq6VWxZ31GE6Y2Zi7mWQk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2937
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/aXhW0Wx73vXC3WZ1CdC_Q-F_H7w>
Subject: Re: [Emu] Resolving EAP-TLS issues
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Apr 2021 07:38:39 -0000
Updates on the actions thus far: On 3/29/21 12:20 AM, Joseph Salowey wrote: The authors have been working on the draft-ietf-emu-eap-tls13 in the GitHub Repo (https://github.com/emu-wg/draft-ietf-emu-eap-tls13). Below is a brief summary of the Issues and PRs that have recently been merged or ready to be merged. If you are aware of issues that are not currently tracked in the repo please add them or let the chairs know. We are looking to publish a new draft in the next few weeks so indicate on the list if there are problems with these resolutions. Thanks, Joe PR #44<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/44> - Merged - Editorial - Clarifies that Message Flows are Examples PR #50<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/50> - Merged - Editorial - Moving from Master to Main terminology as in RFC8446bis PR #51<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/51> - Merged - Editorial - added text to suggest that one session ticket be sent - Issue 48<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/48> PR #53<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/53> - Merged - Normative - Uses type code in the context of the key derivation - Issue 32<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/32> - Issue 56<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/56> PR #40<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/40> - Ready to Merge - Editorial - alignment with EAP State Machine Terminology - Issue 33<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/33> Issue 36<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/36> Merged. PR #41<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/41> - Ready to Merge - Editorial - Discussion of packet modification attacks - Issue 36<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/36> Merged. PR #42<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/42> - Ready to Merge - Editorial - Reference EAP-Types draft Merged. PR #45<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/45/files> - Ready to Merge - Editorial - Describes why session resumption is needed - Issue 34<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/34> Merged. PR #46<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/46> - Ready to Merge - Normative - Makes it mandatory to send Error Alerts to single EAP Failure - Issue 37<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/37> - Issue 38<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/38> Merged. PR #54<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/54> - Ready to Merge - Normative - uses protected success indicators as single 0x00 byte of application data - Issue 55<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/55> Merged. Open Issues without proposed Resolution Issue #52<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/52> - Needs Discussion and Proposal - Update security considerations with discussion of implications no peer authentication Commit (https://github.com/emu-wg/draft-ietf-emu-eap-tls13/commit/c1e648ab9e9f6b44f833689205528f8b53cc7db0) with the following text pushed: EAP servers will usually require the EAP peer to provide a valid certificate and will fail the connection if one is not provided. Some deployments may permit no peer authentication for some or all connections. When peer authentication is not used, implementations MUST take care to limit network access appropriately for unauthenticated peers and implementations MUST use resumption with caution to ensure that a resumed session is not granted more privilege than was intended for the original session. Issue #47<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/47> - Needs DIscussion and proposal - how does the peer validate the identity of the server? Commit (https://github.com/emu-wg/draft-ietf-emu-eap-tls13/commit/d0c3d6f04c97a62ef80002d2f32622b5e8b5fbd6) with the following text merged: The EAP server identity in the TLS server certificate is typically a fully qualified domain name (FQDN). EAP peer implementations SHOULD allow users to configuring a unique trust root (CA certificate) and a server name to authenticate the server certificate and match the subjectAlternativeName (SAN) extension in the server certificate with the configured server name. In the absence of a user-configured root CA certificate, implementations MAY rely on system-wide root CA certificate bundles for authenticating the server certificate. If server name matching is not used, then peers may end up trusting servers for EAP authentication that are not intended to be EAP servers. If name matching is not used with a public CA bundle, then effectively any server can obtain a certificate which will be trusted for EAP authentication by the Peer. The process of configuring a root CA certificate and a server name is non-trivial and therefore automated methods of provisioning are RECOMMENDED. For example, the eduroam federation [RFC7593] provides a Configuration Assistant Tool (CAT) to automate the configuration process. In the absence of a trusted root CA certificate (user configured or system-wide), EAP peers MAY implement a trust on first use (TOFU) mechanism where the peer trusts and stores the server certificate during the first connection attempt. The EAP peer ensures that the server presents the same stored certificate on subsequent interactions. Use of TOFU mechanism does not allow for the server certificate to change without out-of-band validation of the certificate and is therefore not suitable for many deployments. Issue #29<https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/29> - Needs DIscussion and proposal - mutual authentication section is broader than mutual authentication Section 2.1.1 renamed to "Authentication". We plan to push a few more updates during the coming week. We plan to submit version -15 shortly afterwards. Publishing version -15 does not mean that it is ready for publication as RFC. Instead, it will be an opportunity for others who don't follow the draft on github to review and provide feedback. --Mohit _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu
- [Emu] Resolving EAP-TLS issues Joseph Salowey
- Re: [Emu] Resolving EAP-TLS issues Alan DeKok
- Re: [Emu] Resolving EAP-TLS issues Mohit Sethi M