IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Joseph Salowey <joe@salowey.net> Sun, 03 November 2019 18:31 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB9A51200F1 for <emu@ietfa.amsl.com>; Sun, 3 Nov 2019 10:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPVFYYZkwROl for <emu@ietfa.amsl.com>; Sun, 3 Nov 2019 10:31:21 -0800 (PST)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DF201200CC for <emu@ietf.org>; Sun, 3 Nov 2019 10:31:21 -0800 (PST)
Received: by mail-qk1-x72b.google.com with SMTP id e2so15426890qkn.5 for <emu@ietf.org>; Sun, 03 Nov 2019 10:31:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=d5j3V8IGKGsW2AjZM91HUi3pmadbk6C3q/X1yJGRbj4=; b=o0c6zacw7hmmAt+NL6F3T11h8O+8Kl5nDeZHA8xPkGRFdYnwM6vO0BszJyvVYuxKRb aysBhvH++Cqob0DiNYKEoPf9B08TOCVbCZ/Q4XP9DV6hn42z6dAwvnI4BkAnsV/Ho221 M6EZUKCjc1C/JJcXYCWlW/zlmX3qU9LSq9/RFHdyrf0GJD8VaZ4oZHAgHvuVMK2mgz8y 5HQrhvTtWXmyiH7NhlNxJHaPBtwnbmxeRrzAU6eO5qnylu83nu/KxRflnauhGgdY0xoc S9HbQFaVbVlbyLNoH8Am2QCnK+rJr7RUN8bqASd9y/23MBjbnTeV/M90KVtLGDcnCyZp sXiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d5j3V8IGKGsW2AjZM91HUi3pmadbk6C3q/X1yJGRbj4=; b=HrPLwFuPF+HUjRBKAov9R2T/wxo4dZUSPI0hC0lzZlxVzCz7QaQr/haMM9uhZu+EqM XnPfLYPAudrRAayFbU4K377W3izDJPP2VNb50NhxzL3KDqzNFt0+zXI9PqOgGg5Lrbyx Y6taDPNt7vvmxFnPxV9mXpp1cWFuxIKQr63CUl2JOdpG8TuzMrvG+alpZ05FrKmpqkqp dFbw+MQVyAbfosRZ0/cZODMTngCjqRPFxXu/SDtnjk69d4QrGCm25ilSPTtfj8Q0TSIZ WCRovapQnzkutgnYMBrO+H8OX0y51Zl6iizEQRrBVSmhqg+SV6QcWeZgRiOh4IJcGnJF g2rA==
X-Gm-Message-State: APjAAAXYHS31kY0e53WrvnHt/kgqRhpVXaUvbMAmzzQbo47FIgnyJGki qbJn7+cFoHAh3NoA5gCuqr9O8+rF8J/dk4HJcpyGBw==
X-Google-Smtp-Source: APXvYqxZuzBEAZgUPX9YwYgv3+C/BcNlzZ0vOLBtUmpFuncHrCed3KIE6YYlhBPIQx8GvfXr43TggELDHy0/ASPK2Kc=
X-Received: by 2002:a37:9145:: with SMTP id t66mr4834539qkd.332.1572805880299; Sun, 03 Nov 2019 10:31:20 -0800 (PST)
MIME-Version: 1.0
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com> <575D1FD8-9C81-4DA7-B542-71B6D78E7BAC@deployingradius.com> <35D3B09D-B540-4465-BA4F-8EB3C34A167B@ericsson.com> <3D27AB0E-508E-479D-81A5-42566F166647@deployingradius.com>
In-Reply-To: <3D27AB0E-508E-479D-81A5-42566F166647@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 03 Nov 2019 10:31:09 -0800
Message-ID: <CAOgPGoCHZ+aNJQ2NCwe0v8Xu1swtY+QLMDn9niqjttnsK-pyFg@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: John Mattsson <john.mattsson@ericsson.com>, Eliot Lear <lear@cisco.com>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr@sandelman.ca>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cbd4a905967567f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/acSwaT9vm4Jorxy1UZYiUTCbFG0>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 18:31:25 -0000

On Fri, Nov 1, 2019 at 4:08 AM Alan DeKok <aland@deployingradius.com> wrote:

> On Nov 1, 2019, at 6:15 AM, John Mattsson <john.mattsson@ericsson.com>
> wrote:
> > I strongly support working group adoption of
> draft-dekok-emu-tls-eap-types. Can we make sure to get this document going,
> I agree that this is a very needed draft. I think it should include updates
> for everything people wants to use. I do not think draft-ietf-emu-eap-tls13
> strictly have to wait for draft-dekok-emu-tls-eap-types, but
> draft-dekok-emu-tls-eap-types should be published shortly after.
>
>   I will do an update to my document shortly.
>
>   I also added an issue with the EAP-TLS document on GitHub.  The
> suggestion is to add text which explains how (and why) the EAP Identity is
> chosen during resumption:
>
> ---
> The EAP Identity used in resumption SHOULD be the same EAP Identity as was
> used during the original authentication. This requirement allows EAP
> packets to be routable through an AAA infrastructure to the same
> destination as the original authentication.



>
>
The alternative is to derive the EAP Identity from the identity used inside
> of TLS. This derivation is common practice when using certificates, and
> works because the "common name" field in the certificate is typically
> compatible with EAP, and it contains a routable identifier such as an email
> address. This practice cannot be used for resumption, as the PSK identity
> may be a binary blob, and it might not contain a routable realm as
> suggested by RFC 7542.
>
>
[Joe] Do implementations use the whole common name or just the domain
portion.  Using the whole common name is not advisable with TLS 1.3.


> In some cases, the PSK identity is derived by the underlying TLS
> implementation, and cannot be controlled by the EAP authenticator. These
> limitations make the PSK identity unsuitable for use as the EAP Identity.
>

[Joe]  Is EAP Identity Synonymous with the NAI?


> ---
>
>   Alan DeKok.
>
>

v2.23.0 | Report a Bug | By Email