IETF Logo Mail Archive

Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 15 June 2020 14:42 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7393A0DD3 for <emu@ietfa.amsl.com>; Mon, 15 Jun 2020 07:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=qtYYnja0; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=qtYYnja0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Flg8XmnGVJ8 for <emu@ietfa.amsl.com>; Mon, 15 Jun 2020 07:42:05 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2050.outbound.protection.outlook.com [40.107.20.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8BF3A0DCC for <emu@ietf.org>; Mon, 15 Jun 2020 07:42:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vsT4urEPg4KYhsvuO4ZHLZTLUVv9nAw0W82jC01q0qU=; b=qtYYnja0JwyTceUF9mhk8qpaiI8QGsaySCj16Plknosu5Y+TvbhwIKSRtoizw1dtOLUVhxiCnOx3+hYWH/fu++J8s+N6mFaCq19rnTawxtVs3cEfjZ7iVBwC1rAOAlUiVNzrECvX0V8ckKE5R5jGvwzYKoHZY0CDJ0q8TlIy1ho=
Received: from AM6PR10CA0002.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:209:89::15) by DB6PR08MB2776.eurprd08.prod.outlook.com (2603:10a6:6:1d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18; Mon, 15 Jun 2020 14:42:02 +0000
Received: from VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:89:cafe::6d) by AM6PR10CA0002.outlook.office365.com (2603:10a6:209:89::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Mon, 15 Jun 2020 14:42:02 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT036.mail.protection.outlook.com (10.152.19.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Mon, 15 Jun 2020 14:42:01 +0000
Received: ("Tessian outbound 4f5776643448:v59"); Mon, 15 Jun 2020 14:42:01 +0000
X-CR-MTA-TID: 64aa7808
Received: from 48c3fb99183a.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 989290F7-2B54-48D0-BE68-B93FEDC737C3.1; Mon, 15 Jun 2020 14:41:56 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 48c3fb99183a.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 15 Jun 2020 14:41:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dpdK1eYg2rZLCS9vL2I7yM2HZ+tsuxEdk+Zo5IECQorNamG1dNEe+lrBHuP+MSEJ5AmxF7+0SIhUWT4vKqyNOzSqnZj/jAoJPdBfJnaJy71DNugAGT4++hod9I5wcQO50y/6VaFSJYwpY6DKo8m+Wz23RZp8LhIlv9GZq0dctM14T/ly1DWBH0Ga7XT1nudgKiRdfBJFv5xz6h3xPb4RvIX5DYj+R8K/dakxhmh+Q17VL6cHnj8nEFoF+HW1iti+UkbkTMyIqPd2r1atxBaNc4PNl8Mygjp3DhZiqOGfKDlYaMtIiG9XwK6pg8p8BhE9D+Mnwr8xBXJMBXDEm9YwJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vsT4urEPg4KYhsvuO4ZHLZTLUVv9nAw0W82jC01q0qU=; b=NgXa6rVTMmDWSPGIsKP0kL3VnD6RsDM0XQkVoRc/QADwMMs5hCQjCwSs7Oweni9rnet1frmU5gAP3N+uHFArIAwridic3N6++dz7zdcrl9vLjh1rIGtMaKt9y5DgdlygEZApYhE91eOotgqW8CqF6CmBWeQaHae2YYJkY0p+qW6f7WT+OMjW0wBthgLFwKXtxr70e2tG4zlvQVO+4VRHFrTcgrynB6vqI+sTFiKVpWIfLzwXCyrkn3YkrsZauEkpz/q74cg4aOymt3kzPq2+ARERctVZbyA2DUi+Xr0vy7rBsmTsXt8Uokraf6f5fmUMEwdYzTOG/xC4YqP65F0GPg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vsT4urEPg4KYhsvuO4ZHLZTLUVv9nAw0W82jC01q0qU=; b=qtYYnja0JwyTceUF9mhk8qpaiI8QGsaySCj16Plknosu5Y+TvbhwIKSRtoizw1dtOLUVhxiCnOx3+hYWH/fu++J8s+N6mFaCq19rnTawxtVs3cEfjZ7iVBwC1rAOAlUiVNzrECvX0V8ckKE5R5jGvwzYKoHZY0CDJ0q8TlIy1ho=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB3107.eurprd08.prod.outlook.com (2603:10a6:208:60::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.22; Mon, 15 Jun 2020 14:41:54 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3088.029; Mon, 15 Jun 2020 14:41:54 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Commitment Message in draft-ietf-emu-eap-tls13
Thread-Index: AdZAkc+cCh243U45Rdqk3n8/SPrXVQCilGmAAAGz0BA=
Date: Mon, 15 Jun 2020 14:41:54 +0000
Message-ID: <AM0PR08MB371610DEF383566F51D75B60FA9C0@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB37162AE5F0175B95A237B31EFA810@AM0PR08MB3716.eurprd08.prod.outlook.com> <1e769dbd-b563-0ba6-c398-8066c6151310@ericsson.com>
In-Reply-To: <1e769dbd-b563-0ba6-c398-8066c6151310@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 83414081-0c81-4ae7-b6a2-e4cc488240e2.1
x-checkrecipientchecked: true
Authentication-Results-Original: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [156.67.194.193]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 3a676fde-5829-40f3-90f2-08d8113a4400
x-ms-traffictypediagnostic: AM0PR08MB3107:|DB6PR08MB2776:
X-Microsoft-Antispam-PRVS: <DB6PR08MB27762D7D7EA70E7C959652BFFA9C0@DB6PR08MB2776.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 04359FAD81
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 8MuAw/NZ1Sja7v4FIPTk05pOh9wCPrDsglu9xxG9pXoz3dCZmlBQ+B2KFBtsN2gLEohOt2dEvoqiorSKmIZbT2cG8t5dYr+E1ABcVSRLsDlL/W2Nepok0wnNv/CTAdOQmrGBFMTk0ygbPMDk59BZUKNsr8mel69TD1h1DowPQyjjrWsMZmlHJUmFwZ1q13F9+70e5ENugyiCZXYAl3+xLhx1mnWRK8+MQU0nDCDQ+TwdgPOoAZYFCbf5Cd83KK4lppTjyO+WMuzWLq8fGX7ZLc9zIsnHD7dgvFPou/XtOnS60vzc1LT7I0AfaZhs4UerqQd4OYBqaWDyyI4FGCY1z6GxBQp6ATzOOmYqcqQXZ3xX/wWir/KQ/Q4+va+ijszQdHxuDYE5S7VPfD7RQjVLKg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(376002)(136003)(366004)(39860400002)(316002)(8936002)(9326002)(8676002)(71200400001)(110136005)(52536014)(5660300002)(966005)(478600001)(15650500001)(18074004)(26005)(7696005)(53546011)(6506007)(186003)(83380400001)(166002)(66946007)(76116006)(33656002)(66556008)(66476007)(66446008)(64756008)(86362001)(2906002)(9686003)(55016002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: NosmRVu53JRGrlnd7YoLjcNP60Xf6Yg6+2TO7Bnnkl98B244qdbqPSiQKMyOkBajyFYaVs7VjI060XnbsAE/yInJONZ36HQg1AzbWcghx68tieIilt2xZEGlPQ16FxNgvlbdiLKwmD1OYTWA7rGMGsvrtdtp1Wxa0xhZPNqiu9JUdjXawYstSQ3tAtw9fz2fRqCNAWRUxh1gNbxbdvKDy85TRDT85vp8fQJF4n97/bMXYk84BibxZWN38uWwNYl3FjekmJQkfGqDDmVzXp3Ez95TwljTBArpI55JQdUC8IBEY/A81aDvtKdmwaCp3tEDhn9vlEVw1U8r/liir4PMTo5m6ZzG7TgGAdiA84pSmjTnnyvkAkBkulEt7dapXVPPZTwFH07DZCZ2yf79EIWhOcrkJ1feznDGBsAC8M5Ob1ieHTrDN5RchtbQdxkz/uqYohAuaun4ypD77mLIdBQTnuL9/I2zq4gwC4YDJ++qosT8jCqQcCSHzubNoYqeJyKU
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB371610DEF383566F51D75B60FA9C0AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3107
Original-Authentication-Results: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT036.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(376002)(346002)(39860400002)(46966005)(2906002)(47076004)(55016002)(478600001)(110136005)(966005)(30864003)(316002)(83380400001)(15650500001)(166002)(9686003)(186003)(18074004)(9326002)(82740400003)(6506007)(52536014)(8936002)(33656002)(86362001)(70586007)(70206006)(336012)(81166007)(8676002)(53546011)(7696005)(5660300002)(356005)(36906005)(82310400002)(26005)(579004); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 8a4bbbb7-fe60-410b-3e41-08d8113a3f5a
X-Forefront-PRVS: 04359FAD81
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: rMeXs+dJ+l0HFm3PKm7nNO5i2LqCID/lyPBFGsmx5C6V1laHe5K3/lURRGoZKM4yP/Tje6iHVgeK4+NetYSQInzfRXTFJOiRIJqu0lk5CiwnOh/6XZnz3hoUdgLR6rdcSqvm8xQ9WVzAtrF/GcUgR27pX51qhQL6Uu7lDPD9g+cRGFVDJyYnktHaJNTclzKx6g8YzV5CqFKcIsmaYV53WKTPvjB07aSE6wZXP0iF5zctRJbQNA5aSWdDC/Cku4Ttw7wZKxcQ0iyacZzZ222f1tyQKqAHPzl0VsOQZ9ci9YwWWcn3e08Mea6XKPegjcKZl4krL84JrtCM9E6zjKOpb+oSYEEhnVEZM5p1lSSOzfTvbSe5WEiuwrA5epJYGIWrAWbkKspHZpuUqtyucMIZsOkvPlE/xduHZFUplIAhLWQTa8LHfMP92qePgjpesd2iN50f4wAYfBfl0YtCDrVpsA6OzZGvjTndsFvLZf+SZ/E=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2020 14:42:01.8119 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a676fde-5829-40f3-90f2-08d8113a4400
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR08MB2776
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/zaVFDfdJGIz8C1RL05bvJ6MQ91g>
X-Mailman-Approved-At: Mon, 15 Jun 2020 08:04:47 -0700
Subject: Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 14:42:09 -0000

Hi Mohit,

Thanks for the super-detailed response.

Give me till tomorrow to parse your response. Glad to hear that you talked about this topic already.

Ciao
Hannes

From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
Sent: Monday, June 15, 2020 3:52 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; emu@ietf.org
Subject: Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13


Hi Hannes,

Unfortunately you are wrong here. The design decision was in fact taken to avoid changes to the underlying TLS implementation while also avoiding changes to RFC 3748. To summarize:

Jouni Malinen pointed out that mapping session resumption of TLS 1.3 to EAP-TLS is non-trivial. See his email here: https://mailarchive.ietf.org/arch/msg/emu/SBdblHmLQTbBwoZHK8Rih-g5ne8/. Essentially, TLS 1.3 allows a server to send a Post-Handshake message with a NewSessionTicket at any time. However, in EAP-TLS this is not possible. The TLS tunnel is torn down after authentication. John notes in his response to Jouni (https://mailarchive.ietf.org/arch/msg/emu/nNUw61cTvHgWj8F0sOVRoICUzlk/) "in TLS the connection is assumed to stay open for a long time after the client sends Finished, in EAP the connection is assumed to be closed shortly after."

An earlier cleaner way of sending NewSessionTicket required an extra round trip and left the peer uncertain about the next message (https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-00#section-2.1.1). Jouni highlighted this uncertainty for a peer: " the peer has no idea whether the NewSessionTicket is delivered after ClientFinished. In other words, the next message in the sequence could be either continuation of EAP-TLS method or EAP-Success". You ask "why cannot the EAP-Success or EAP-Failure serve that purpose?". See RFC 3748 (https://tools.ietf.org/html/rfc3748) which says the following:

   Implementation Note: Because the Success and Failure packets are not

   acknowledged, they are not retransmitted by the authenticator, and

   may be potentially lost.  A peer MUST allow for this circumstance as

   described in this note.
and

 On the peer, after success result indications have been exchanged by

   both sides, a Failure packet MUST be silently discarded.  The peer

   MAY, in the event that an EAP Success is not received, conclude that

   the EAP Success packet was lost and that authentication concluded

   successfully.

Thus, EAP-Success cannot be used as a reliable notification mechanism. Till version 05 of the document, we used an empty application data record as a notification of the last handshake message. The text said:

When an EAP server has sent its last handshake message (Finished or a

   Post-Handshake), it commits to not sending any more handshake

   messages by appending an empty application data record (i.e. a TLS

   record with TLSPlaintext.type = application_data and

   TLSPlaintext.length = 0) to the last handshake record.  After sending

   an empty application data record, the EAP server may only send an

   EAP-Success, an EAP-Failure, or an EAP-Request with a TLS Alert

   Message.
However, Jouni in a later response (https://mailarchive.ietf.org/arch/msg/emu/WA8OREhTsF8JEPvaixGoCwmd1qY/) noted that such behavior is non-trivial to achieve with OpenSSL. He notes " OpenSSL is not willing to send such an empty TLSPlaintext structure. SSL_write() has following to say : 'You should not call SSL_write() with num=0, it will return an error. SSL_write_ex() can be called with num=0, but will not send application data to the peer.'"

Therefore, the text was later updated to:

 When an EAP server has sent its last handshake message (Finished or a

   Post-Handshake), it commits to not sending any more handshake

   messages by sending a Commitment Message.  The Commitment Message is

   a TLS record with application data 0x00 (i.e. a TLS record with

   TLSPlaintext.type = application_data, TLSPlaintext.length = 1, and

   TLSPlaintext.fragment = 0x00).  Note that the length of the plaintext

   is greater than the corresponding TLSPlaintext.length due to the

   inclusion of TLSInnerPlaintext.type and any padding supplied by the

   sender.  EAP server implementations MUST set TLSPlaintext.fragment to

   0x00, but EAP peer implementations MUST accept any application data

   as a Commitment Message from the EAP server to not send any more handshake messages.


There is still a challenge in scenarios where a server chooses not to issue any NewSessionTicket. In this email: https://mailarchive.ietf.org/arch/msg/emu/PgGjhmafbbSJCcQctDsFw7AvNmU/ Jouni notes this problem:

I did see some issues when OpenSSL 1.1.1 when disabling sending of

session tickets, though. The current draft indicates that the empty

Application Data payload would be send out in the same EAP packet with

the server's Finished message, i.e., before the server having

authenticated the peer. And this would be done without the peer having

used TLS early data (which is explicitly disallowed in the draft). That

combination did not work with my experiments since OpenSSL was rejecting

the SSL_write() operation after the server having written own Finished

message, but before having received the Finished message from the peer.

The OpenSSL documentation seemed to imply that SSL_write_early_data()

could be used by the server _if_ the client first sent early data.. At

least in my tests, OpenSSL rejected that call without early data from

the client.


This is why the current text also says the following:

 The Commitment Message may be sent in the same

   EAP-Request as the last handshake record or in a separate EAP-

   Request.  Sending the Commitment Message in a separate EAP-Request

   adds an additional round-trip, but may be necessary in TLS

   implementations that only implement a subset of TLS 1.3.  In the case

   where the server sends the Commitment Message in a separate EAP-

   Request, the conversation will appear as shown in Figure 9.  After

   sending the Commitment Message, the EAP server may only send an EAP-

   Success, an EAP-Failure, or an EAP-Request with a TLS Alert Message.


Thus, the current design decision has been guided by parallel implementation experience and it is the best solution we could come up with (given all the practical limitations).

--Mohit
On 6/12/20 11:36 AM, Hannes Tschofenig wrote:
Hi all,

This has probably been discussed extensively in the EMU group. I am sorry to bring it up again but I believe this is a bad design decision. I raised it in my short review just sent to the list but I believe it is worthwhile to point it out separately.

draft-ietf-emu-eap-tls13 introduces a new message to EAP-TLS, namely the Commitment Message. This requires extra code in an implementation because the normal behavior would be to run a TLS stack and then send encrypted data.
EAP-TLS does, however, not send application data*. This message changes this. Not only does it not send encrypted application data it requires an implementation to transmit a plaintext application data record after the application traffic secret has been created and before that application traffic secret is used to protect post handshake messages. This will make it difficult to re-use an off-the-shelf TLS 1.3 stack.


There is very little motivation about this message other than



"

   When an EAP server has sent its last handshake message (Finished or a

   Post-Handshake), it commits to not sending any more handshake

   messages by sending a Commitment Message.

"

I might miss something important here but why cannot the EAP-Success or EAP-Failure serve that purpose?

Here are two examples to explain what I mean:


  1.  Failed exchange



    EAP Peer                                              EAP Server



                                                         EAP-Request/

                                 <--------                  Identity

    EAP-Response/

    Identity (Privacy-Friendly)  -------->



                                                         EAP-Request/

                                                    EAP-Type=EAP-TLS

                                 <--------                (TLS Start)

    EAP-Response/

    EAP-Type=EAP-TLS

   (TLS ClientHello)             -------->

                                                         EAP-Request/

                                                    EAP-Type=EAP-TLS

                                                    (TLS ServerHello,

                                             TLS EncryptedExtensions,

                                              TLS CertificateRequest,

                                                     TLS Certificate,

                                               TLS CertificateVerify,

                                                        TLS Finished,

                                 <--------        Commitment Message)

    EAP-Response/

    EAP-Type=EAP-TLS

   (TLS Certificate,

    TLS CertificateVerify,

    TLS Finished)                -------->

                                                         EAP-Request/

                                                    EAP-Type=EAP-TLS

                                 <--------          (TLS Fatal Alert)

    EAP-Response/

    EAP-Type=EAP-TLS             -------->

                                 <--------               EAP-Failure



  1.  Successful Exchange with Post-Handshake NewSession Ticket


    EAP Peer                                              EAP Server



                                                         EAP-Request/

                                 <--------                  Identity

    EAP-Response/

    Identity (Privacy-Friendly)  -------->

                                                         EAP-Request/

                                                    EAP-Type=EAP-TLS

                                 <--------                (TLS Start)

    EAP-Response/

    EAP-Type=EAP-TLS

   (TLS ClientHello)             -------->

                                                         EAP-Request/

                                                    EAP-Type=EAP-TLS

                                                    (TLS ServerHello,

                                             TLS EncryptedExtensions,

                                              TLS CertificateRequest,

                                                     TLS Certificate,

                                               TLS CertificateVerify,

                                 <--------              TLS Finished)

    EAP-Response/

    EAP-Type=EAP-TLS

   (TLS Certificate,

    TLS CertificateVerify,

    TLS Finished)                -------->

                                                         EAP-Request/

                                                    EAP-Type=EAP-TLS

                                               (TLS NewSessionTicket,

                                 <--------        Commitment Message)

    EAP-Response/

    EAP-Type=EAP-TLS             -------->

                                 <--------               EAP-Success


Ciao
Hannes

(*): FWIW Post handshake messages are protected with the application traffic secrets.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


_______________________________________________

Emu mailing list

Emu@ietf.org<mailto:Emu@ietf.org>

https://www.ietf.org/mailman/listinfo/emu

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email