IETF Logo Mail Archive

[Emu] AD review draft-ietf-emu-rfc7170bis-14

Paul Wouters <paul.wouters@aiven.io> Mon, 26 February 2024 02:15 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81F72C14F5FE for <emu@ietfa.amsl.com>; Sun, 25 Feb 2024 18:15:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c7qniWIem0w for <emu@ietfa.amsl.com>; Sun, 25 Feb 2024 18:15:17 -0800 (PST)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7380C14F5F7 for <emu@ietf.org>; Sun, 25 Feb 2024 18:15:17 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-33d0a7f2424so1731216f8f.0 for <emu@ietf.org>; Sun, 25 Feb 2024 18:15:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1708913716; x=1709518516; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=xYmBY5/Y5dyYEB3IZPmMiOTNcMZmTuf2mbuTQSz9u+Y=; b=omhPjPPrr4aIjA9ucxzd6jbuy7tl03pefPqiMwGsFz6BdS9pXBCac+HCSr6PbTpyCH U+hBc6/FOAlc1k5oY6k9vX+QyZr67uklllZCFL1/eH0rAk1NZiUDJePXENST8pcnr1mJ rBV1ISCEzrKaJ1R8Xh8yJ7skpHoMhkGUIRk/8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708913716; x=1709518516; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=xYmBY5/Y5dyYEB3IZPmMiOTNcMZmTuf2mbuTQSz9u+Y=; b=Q3Rjj49uc2N0TRP6J/e4Ah7WXHMktcHQLucO5tRMpgeFxcD0J7c4XW/M90zcsNFJmC yGDtKU6xVTi8Gf9G+5ypL/dAVdmMX/jvQFyUGFknJfqPtS2s8WoRO7g2RtP+SiGuVVlr HVqtyGaIryU3HIMI3eA8yI6P72OPU6JQBLdhNTbbkCshbIpuWcula8nkbV0pOtE3lS58 Asrv0pm5WoWUAzljXYZrxYWEMOJZYI0lsqfKPVA0KExxxYz7GdZA7PD6T0KOIex4IQbQ Xfo89afrquXuaAMnf94T38MB1UyouqLD1BZgeBlH15+cCx+DpvY6gdk6/cTa4WnP09N5 r9kw==
X-Gm-Message-State: AOJu0YxHFaWXlvQVsdl2+Dpw40Zubf0tkxn2BLf6h/F4RxR5jUPADZx5 b6/mzimIaj/cTI2vfXqoLeA/pOgsRuG+7YJeQjn0o6T6fzgPtUnDTxcy0+s5WwfsPGwKidpCGoH jyAEoodCZhnhiTNt1w+muUsZHqg8xaeiFz+MNhZlFI/IohYKSpyo=
X-Google-Smtp-Source: AGHT+IEcCbcptsVnDQYVApS1NXvjCNPayfG5LWeOVU//55wnoD1wljmWHgPBvYq1IVPrLcUqqaVmTW96xaOg38qu7XA=
X-Received: by 2002:a5d:6d8b:0:b0:33d:d9ac:3cc8 with SMTP id l11-20020a5d6d8b000000b0033dd9ac3cc8mr785203wrs.7.1708913715680; Sun, 25 Feb 2024 18:15:15 -0800 (PST)
MIME-Version: 1.0
From: Paul Wouters <paul.wouters@aiven.io>
Date: Sun, 25 Feb 2024 21:15:04 -0500
Message-ID: <CAGL5yWaU33DV1hkZdz0j78-tG6QpO0+TJJ6u00H5UyO2noxRmA@mail.gmail.com>
To: emu@ietf.org, Alan DeKok <aland@freeradius.org>
Content-Type: multipart/alternative; boundary="000000000000fa111706123f7a61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/bsTu8fk3qKnk9RwU0dRaunnYxo4>
Subject: [Emu] AD review draft-ietf-emu-rfc7170bis-14
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2024 02:15:22 -0000

Hi,

I think in general this document is ready to go. I have some hopefully
minor issues that would be good to resolve or clarify before starting IETF
LC.

       As such, the PAC has been removed from this document.

This reads a bit weird. Can it say PAC has been deprecated instead? This
occurs twice in the document.

draft-ietf-uta-rfc6125bis-15 -> RFC 9525

I am a bit confused by:

        Server Certificates MAY be constructed with a SubjectDN containing a
        single element, "CN=" containing the FQDN of the server.  It is also
        permissible for the server to have an empty subjectDN as recommended
        by {!{I-D.ietf-uta-rfc6125bis}}.

That document (RFC 9525 now) actually says:

        The Common Name RDN MUST NOT be used to identify a service
        because it is not strongly typed (it is essentially free-form
        text) and therefore suffers from ambiguities in interpretation.

        For similar reasons, other RDNs within the subjectName MUST NOT
        be used to identify a service.

It seems to me that RFC9525 says to only use subjectAltName (SANs) ?

Now this document also follows with:

        Server Certificates MUST include a subjectAltName extension

Perhaps some text can be added to the "Server Certificates MAY be
constructed"
text by saying that authentication decisions MUST NOT be made based on the
SubjectDN ?


        Note that since TLS client certificates are sent in the clear with
        TLS 1.2 and earlier

Can "and earlier" be removed? Eg can this document say the TLS version MUST
be 1.2 or later? If not, then the later text "The first is when TLS 1.2 is
used" needs to fill in what is expected for TLS 1.1. Similar for more text
later on, eg "which should not be sent over a TLS 1.2 connection".

        The first Basic-Password-Auth-Req TLV received in a session MUST
        include a prompt, which the peer displays to the user.

Should this receive some Security Considerations to avoid log4j/JNDI type
issues?

        While [RFC8446] allows for the TLS conversation to be restarted,

Maybe write "TLS 1.3" instead of "[RFC8446]" here? Or use both?

The IANA considerations lists:

        11,PAC TLV,(DEPRECATED) [RFC7170]

As it is [THIS-DOCUMENT] that deprecates it, it should be added to the
reference RFC as well, eg:

       11,PAC TLV,(DEPRECATED) [RFC7170] [THIS-DOCUMENT]


        Protection against Man-in-the-Middle Attacks

Maybe rename to "on-path attacks" ?

Appendix C.4 should clarify the TLS version used (1.2). Should it be
changed to use a TLS 1.3 example?

Paul

v2.23.0 | Report a Bug | By Email