[Emu] AD review draft-ietf-emu-rfc7170bis-14
Paul Wouters <paul.wouters@aiven.io> Mon, 26 February 2024 02:15 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81F72C14F5FE for <emu@ietfa.amsl.com>; Sun, 25 Feb 2024 18:15:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c7qniWIem0w for <emu@ietfa.amsl.com>; Sun, 25 Feb 2024 18:15:17 -0800 (PST)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7380C14F5F7 for <emu@ietf.org>; Sun, 25 Feb 2024 18:15:17 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-33d0a7f2424so1731216f8f.0 for <emu@ietf.org>; Sun, 25 Feb 2024 18:15:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1708913716; x=1709518516; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=xYmBY5/Y5dyYEB3IZPmMiOTNcMZmTuf2mbuTQSz9u+Y=; b=omhPjPPrr4aIjA9ucxzd6jbuy7tl03pefPqiMwGsFz6BdS9pXBCac+HCSr6PbTpyCH U+hBc6/FOAlc1k5oY6k9vX+QyZr67uklllZCFL1/eH0rAk1NZiUDJePXENST8pcnr1mJ rBV1ISCEzrKaJ1R8Xh8yJ7skpHoMhkGUIRk/8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708913716; x=1709518516; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=xYmBY5/Y5dyYEB3IZPmMiOTNcMZmTuf2mbuTQSz9u+Y=; b=Q3Rjj49uc2N0TRP6J/e4Ah7WXHMktcHQLucO5tRMpgeFxcD0J7c4XW/M90zcsNFJmC yGDtKU6xVTi8Gf9G+5ypL/dAVdmMX/jvQFyUGFknJfqPtS2s8WoRO7g2RtP+SiGuVVlr HVqtyGaIryU3HIMI3eA8yI6P72OPU6JQBLdhNTbbkCshbIpuWcula8nkbV0pOtE3lS58 Asrv0pm5WoWUAzljXYZrxYWEMOJZYI0lsqfKPVA0KExxxYz7GdZA7PD6T0KOIex4IQbQ Xfo89afrquXuaAMnf94T38MB1UyouqLD1BZgeBlH15+cCx+DpvY6gdk6/cTa4WnP09N5 r9kw==
X-Gm-Message-State: AOJu0YxHFaWXlvQVsdl2+Dpw40Zubf0tkxn2BLf6h/F4RxR5jUPADZx5 b6/mzimIaj/cTI2vfXqoLeA/pOgsRuG+7YJeQjn0o6T6fzgPtUnDTxcy0+s5WwfsPGwKidpCGoH jyAEoodCZhnhiTNt1w+muUsZHqg8xaeiFz+MNhZlFI/IohYKSpyo=
X-Google-Smtp-Source: AGHT+IEcCbcptsVnDQYVApS1NXvjCNPayfG5LWeOVU//55wnoD1wljmWHgPBvYq1IVPrLcUqqaVmTW96xaOg38qu7XA=
X-Received: by 2002:a5d:6d8b:0:b0:33d:d9ac:3cc8 with SMTP id l11-20020a5d6d8b000000b0033dd9ac3cc8mr785203wrs.7.1708913715680; Sun, 25 Feb 2024 18:15:15 -0800 (PST)
MIME-Version: 1.0
From: Paul Wouters <paul.wouters@aiven.io>
Date: Sun, 25 Feb 2024 21:15:04 -0500
Message-ID: <CAGL5yWaU33DV1hkZdz0j78-tG6QpO0+TJJ6u00H5UyO2noxRmA@mail.gmail.com>
To: emu@ietf.org, Alan DeKok <aland@freeradius.org>
Content-Type: multipart/alternative; boundary="000000000000fa111706123f7a61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/bsTu8fk3qKnk9RwU0dRaunnYxo4>
Subject: [Emu] AD review draft-ietf-emu-rfc7170bis-14
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2024 02:15:22 -0000
Hi, I think in general this document is ready to go. I have some hopefully minor issues that would be good to resolve or clarify before starting IETF LC. As such, the PAC has been removed from this document. This reads a bit weird. Can it say PAC has been deprecated instead? This occurs twice in the document. draft-ietf-uta-rfc6125bis-15 -> RFC 9525 I am a bit confused by: Server Certificates MAY be constructed with a SubjectDN containing a single element, "CN=" containing the FQDN of the server. It is also permissible for the server to have an empty subjectDN as recommended by {!{I-D.ietf-uta-rfc6125bis}}. That document (RFC 9525 now) actually says: The Common Name RDN MUST NOT be used to identify a service because it is not strongly typed (it is essentially free-form text) and therefore suffers from ambiguities in interpretation. For similar reasons, other RDNs within the subjectName MUST NOT be used to identify a service. It seems to me that RFC9525 says to only use subjectAltName (SANs) ? Now this document also follows with: Server Certificates MUST include a subjectAltName extension Perhaps some text can be added to the "Server Certificates MAY be constructed" text by saying that authentication decisions MUST NOT be made based on the SubjectDN ? Note that since TLS client certificates are sent in the clear with TLS 1.2 and earlier Can "and earlier" be removed? Eg can this document say the TLS version MUST be 1.2 or later? If not, then the later text "The first is when TLS 1.2 is used" needs to fill in what is expected for TLS 1.1. Similar for more text later on, eg "which should not be sent over a TLS 1.2 connection". The first Basic-Password-Auth-Req TLV received in a session MUST include a prompt, which the peer displays to the user. Should this receive some Security Considerations to avoid log4j/JNDI type issues? While [RFC8446] allows for the TLS conversation to be restarted, Maybe write "TLS 1.3" instead of "[RFC8446]" here? Or use both? The IANA considerations lists: 11,PAC TLV,(DEPRECATED) [RFC7170] As it is [THIS-DOCUMENT] that deprecates it, it should be added to the reference RFC as well, eg: 11,PAC TLV,(DEPRECATED) [RFC7170] [THIS-DOCUMENT] Protection against Man-in-the-Middle Attacks Maybe rename to "on-path attacks" ? Appendix C.4 should clarify the TLS version used (1.2). Should it be changed to use a TLS 1.3 example? Paul
- [Emu] AD review draft-ietf-emu-rfc7170bis-14 Paul Wouters
- Re: [Emu] AD review draft-ietf-emu-rfc7170bis-14 Alan DeKok
- Re: [Emu] AD review draft-ietf-emu-rfc7170bis-14 Paul Wouters