IETF Logo Mail Archive

Re: [Emu] Working Group Last Call for TLS-based EAP types and TLS 1.3

John Mattsson <john.mattsson@ericsson.com> Sat, 19 February 2022 08:44 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 872B63A1033 for <emu@ietfa.amsl.com>; Sat, 19 Feb 2022 00:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxQOcFtav83d for <emu@ietfa.amsl.com>; Sat, 19 Feb 2022 00:44:34 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20600.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 016663A0AB0 for <emu@ietf.org>; Sat, 19 Feb 2022 00:44:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K0GRCLwmSAlxIx1CKd8pWHFS/f00dJ98C8n5GFlJZBzOrPBrZzzMVCHyK4dAhR4vrZ7MoqcHpW8NK8gMWW1p8BrlhxUz/3RzCljbn0JL6V5dOwuGq8P10JRY+vYFoHw1RnD6Pb0YK0yTLVSEQBwH4XKkSncu73kd1ImyWtsdiK/uFnGwXiaKBxxvmyVJMQbYWGNYdecmtrVCesT25H6KHntG4PHjhBUxzIgl3z5jY9nv5i3mX3vrgdtFLy+3OnF3Yz5yJ1WlyxgkVCB5mccYIoQw+jSvyQRshX08ZjNOv9L04BqPxEI/PWDd6+4nTCOe+FblCp1w5FdpC8sga4blIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=69BwgRX1YVk6luWL8Fmy4OSO/xfe81BfBnliLWUPE7s=; b=SEltrZHTJpm0PUYgyHC0DEwRoBPjwe3wQaFwmKfeWxcpxCDx6FsGy4db48/0ZiEr4g8GVpV/iwEvVGsHt2HmYnV76lJ6M890FUOYsySs1vqGYtb1/VoQ1rBfiJd4PQdG5OOUHks8maG0Qc4c0ysrxpDvZAqmdUb1jCWX3+fAMLBIbujejRrzuGw0vAEdOK+kJuvnNpI/qPjw0fU7sR6TRe6+Xak2k+YgfTKYlu7Ad4d8crhiD07zpgH3IYr+wnPW6qzIgqMy9Meuo5glOMS3QTHMDYbxuUUo6gVjyOGYi8RbugmYe+Un3/gd/KUfGyDKCZGuPX7GHPyLuxnctmcNOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=69BwgRX1YVk6luWL8Fmy4OSO/xfe81BfBnliLWUPE7s=; b=OBhkeOqnX3rsYlmj7F2L+PXniHSqFFBRsjEq5Dmq9vFVYELTCySNcZzXEf/3FM8p0d58aNn786g0FHS2gpGNd/8mFiP556j6LC2L+6THGZVcRSifel0VgnF9ms3qDM+ZaOLyo3aouz63l+dKeEQHNFa/wOT980thznDznSCfrl0=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB7PR07MB4999.eurprd07.prod.outlook.com (2603:10a6:10:5e::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.13; Sat, 19 Feb 2022 08:44:28 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.5017.013; Sat, 19 Feb 2022 08:44:27 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Working Group Last Call for TLS-based EAP types and TLS 1.3
Thread-Index: AQHYJOufhAEgMZn+JkaPte4w9KKJXayajCkU
Date: Sat, 19 Feb 2022 08:44:27 +0000
Message-ID: <HE1PR0701MB30506A6D8955A82C296E72D389389@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CAOgPGoAYB0RsHgq5cPqMD7aqdkZNJVTcsYF2_jrfPB+VO9fDGQ@mail.gmail.com>
In-Reply-To: <CAOgPGoAYB0RsHgq5cPqMD7aqdkZNJVTcsYF2_jrfPB+VO9fDGQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ea30fe11-b480-402f-d6bf-08d9f38409f2
x-ms-traffictypediagnostic: DB7PR07MB4999:EE_
x-microsoft-antispam-prvs: <DB7PR07MB4999C7F5CDD3681BE118F5E589389@DB7PR07MB4999.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DJv0WDchK2GkNDSJiFmrryG7fukL4gm5eDcokqhsbu729KWyiw/4/idlnof34V7F/brm+BlE6Of2N24qltBP4VDgY6oayvS9C9CEdFkLhJXhxdazUXnc4k/k0+ZdvkydDPZkFldE2X8mZMp7/fOVLvIhzBSg9PK5hl+W7SxdC6Wl0eUnTFH76XmK59UWt8RnGn2vIL0BjbkWWJrSKgBC1/dI4ru7Fd2lr90DYLCQmYHd61tmAU7Roubhrh/332aPb4bJlzeIpVA7qy0Ya9WZA2XqlbalKPMtboLt3FRzTCuFbng0LiMv7Em2vOuqT54Yk5swvbYZAH8vhYEXDlayQehyPZ/de7XRkC0S3osSjwHKFd7hLdVB0ikzi56CtQ8fymM1/cVPhQNccqku3CyLz244/3zWUhZMjiQmmfhPfrsOn/bQ9F6M70Xxk9OvMDI8LlvpJU+/rbefIfImInAmtr4smRh79nHdiqgnGTqtwKPZsyHfFMfYqjMXafZ0MxacES/C3yXJ4zi4wrEW1yjZDfFQDv2OAz4bJPvG+AHBgXqNXtc8y59HB/676oIFPfIOMdeFjX/T4n/XkfCIhzGtn4mgg934pUJd82+4eBQDO0XYR9PBrhHxCB8OaLbO+9lbVLew+GxQ5ZXewtOMPeLsIa6yyOwq9qKl0PhnmOFjmSLXa+zGt46dU7ZvZz1VT7gS+Sqhbu2R3yCdHI78PLeJcPyrg9QPNUnt79Ld10Wef11jaUzV4bGW9id5p1hiceUsHS3hXUIQjUIgwA9suJ0wgdehQN4S9K+tW3zFtwECbkI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(166002)(82960400001)(966005)(38100700002)(6916009)(316002)(83380400001)(55016003)(38070700005)(122000001)(52536014)(508600001)(44832011)(91956017)(76116006)(7696005)(53546011)(6506007)(33656002)(8936002)(5660300002)(9686003)(66446008)(26005)(186003)(66946007)(66556008)(66476007)(71200400001)(8676002)(64756008)(86362001)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yvWPdDo2jN+nrXcpuzjYButru2XN2X83CyZ4Hd/xZ7rlNksPBsf1nUzCMSBcWcE+kA6/i8RyRSeD+0zzTSSel1AKt74UKHEHQM07R7IieAFucjNpDZJDEh+ItKg0MtCcEn6iLM+3Zn93CihGPfn2w31dAWcIbl/cKMcZ0YJ0teCJz2y2Un/8MymS37N6wy2UHBdN4f68nDHiurIdho5k8lqLo4MN+hX5g3TedXex4O2AIl5hATDI6bXPY3ALuTFfMLrcigHFud2ukIiwWr8/DY7CsOZgc5lGiGwnPKv26IHoGlarUKeHocV8tGkSuzjDFchNePaEaLRZuHJC76JO733yEy1ytb6PEPbvEc9C57Sl9rs+sVK/QNwqwyJxjhp13NfLIP4ojPjGe3b4iIx4wxk+ZMhEDJTe7gum8SbZzXbHlblMEHZfZp0//+orLNp3Pda1tDEYtCYRIvVQ1H6/oCAkh667wx5y0RI7KpsYMbvwmQRw+ign/e5G20WlrrJc4GKCNip6YFEA18Z3/HIb5Hj/e1E+kb1WgujN9sPmX/2aKvJq3UQVCTBp2xs54WUAyKBBERL+pFa7qgrFbH1U2KL/apmnFT9x1v10dcDk+LktOiwCEf6sSHTWE7sa9VJSxotIy9B1BAvVK84NqWDwQSNQwzg57roPvRBTURzmnQ9gnpdZJjwngdAs35vez+Mwp5L7KYdeYD+9pyCZRLnUiEVDRMI3T9EO7UiDmcgw01cOkCg0679l9R6nGiB6NTtfpi60S6l3O5v/NubG/wFfNoDFpCc+WZGInHafZIIvQpk4ZslgRkxtKx4yhwCXB14Y9xm+4F6zDXWAQSgbPOZYNZQKBOhXCUMM2uX42pDVBsepZ49q9EsrzaInWuHsnx+i3vNjHJFt/oZ/6zURcX0f9acq8AK9ox+g5fcKEIv4fGhSzIF9S3y253T8RAgDKfp5qB7cogOauDikGeqz+tD2N58oQA8jij+V3sp/SIZkISmGXa3HRCmttKRvsWAqMJVeef8BuXcyNvegF493642d/rLbLAMQ4qzuzpWeJFKKJny1RD2em0Zh38tT63U1Ym1/RvazfklC8tuksW5i5++5+GbXgYat0lBtgjqDMpaHvjl0yy0ylS0AcZYthYAYlI0hIvZgGwstCqsCE4Ff65aq5O9P8nR4XnNK/S1x6T2GEXBXBFWbvpAn+KWA2zvmONQ4J/+kMLDqzGFDjBZWp1z+DPjv48yUtlc/68Bexs1XjvAksk5yMR+gTA1l7XM2slvZWCC6LqjXvy3IeF/6eu6F2fViL2sav/pRlIp6mOILnLMMExmZDExka4U/dNKqdFsH0+vN+0cdM0fSBKtPrFvjZK/NzgOXqujWDo4DTC4I6k8v47ZRSqEm+k4SMN7yiuOTJKO4zU7b+L0oBaMXgG70jGwMREOx/cfTl/wQpfgED0MLQr0EanxlRvDMB4W0nuaNh/+koBrjnwbWSghoaJl6uc+Ekvs2d61JDDuDPfHu4Jk4vf8mdfjKnuFIpAwf8s7UPx20aCbLhHIJh8fEjPgktIZ3A1iPDBthNZBlnXs11ZIn74by7rqvmD1vbCJIU++Gkv4WkxkqQh0+53EtEtubAMnsRaNjHy2oTZlBM2IYdFgH1Pmi8nCGTSdNUnlGkGoNRbrIXPvR3Y23Hpq8N9/I6IEMXQJuyECcU198uUOJyQM=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30506A6D8955A82C296E72D389389HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ea30fe11-b480-402f-d6bf-08d9f38409f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2022 08:44:27.1684 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vCI/XrPCq/l7Z0SIyGyrENI9Bd9P/ckdOz9b7v9FeFe6sTKo/Tj1PIeN6SUj8ZjIc/81Pq7VuE0OB/lC0kR+2Q/FSE6Elak5+QjeR6jhmMc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4999
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/e9GEc8QstNWNBo9qyX3u-1nzI-c>
Subject: Re: [Emu] Working Group Last Call for TLS-based EAP types and TLS 1.3
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2022 08:44:40 -0000

Hi,

I have reviewed the document. I think it is ready. There is interest to use these methods in 5G. TLS 1.3 is a must going forward.


Comments:

- The MAC function in section 2.2 is not defined. I assume it should be HMAC. Suggestion:

  OLD
     For TLS 1.3, the hash function used is the same as the
     ciphersuite hash function negotiated for HKDF in the key schedule, as
     per section 7.1 of RFC 8446.
  NEW
     For TLS 1.3, MAC is HMAC using the ciphersuite hash function negotiated for
     HKDF in the key schedule, as per section 7.1 of RFC 8446.


- "As the outer identity is simply an anonymous routing identifier"
  "The outer identity contains an NAI realm, which ensures that
   the inner authentication method is routed to the correct destination."

   Is this section talking about two different "outer identifier"? The identity in the
   identity response is a routing identifier. Security properties like "ensures" is
   given be the identity in the TLS server certificate (to my understanding).




Editorial comments:

- The RFC style guide RFC 7322 states that the abstract must not contain citations.

- draft-ietf-emu-eap-tls13 is now RFC 9190. Some text in abstract and intro should be updated from "is being updated" to "has been updated".

- Section 1 Introduction should say something like "This document updates those methods in order to use the new key derivation methods available in TLS 1.3." The current formulations are "we wish" and "it is necessary".

- "MSK and EMSK are then derived",
  Suggestion "The outer MSK and EMSK are then derived"

- "Unlike previous TLS versions, TLS 1.3 can continue negotiation after the initial
   TLS handshake has been completed"

  Previous TLS versions had renegotiation.

- OLD
    but less interest in EAP-FAST and TTLS.
  NEW
    but less interest in EAP-FAST and TEAP.


- "do not provide for protected success and failure indicators as part of the
   outer TLS exchange."

   Could be good to inform the reader that the TLS alerts are still sent (I assume)
   but not used by EAP.

- "concatetation"
  "cloude"
  "changover"
  "deriviation"
  "authenticaton"
  "succeeed"
  "identies" (several places)
  "ciphersuite" (TLS uses the spelling cipher suite)
  "NewSessionTicketMessage" (NEW: NewSessionTicket message)


Cheers,
John



From: Emu <emu-bounces@ietf.org> on behalf of Joseph Salowey <joe@salowey.net>
Date: Friday, 18 February 2022 at 18:19
To: EMU WG <emu@ietf.org>
Subject: [Emu] Working Group Last Call for TLS-based EAP types and TLS 1.3

This is a working group last call for TLS-based EAP types and TLS 1.3. The document is available here: https://datatracker.ietf.org/doc/draft-ietf-emu-tls-eap-types/

Please review the document and provide comments by March 4, 2022

Thanks,

Joe and Mohit

v2.23.0 | Report a Bug | By Email