[Emu] Commitment Message in draft-ietf-emu-eap-tls13
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 12 June 2020 08:36 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 615773A0DEA for <emu@ietfa.amsl.com>; Fri, 12 Jun 2020 01:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=THRvKaD7; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=THRvKaD7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcsOgG7eK9JL for <emu@ietfa.amsl.com>; Fri, 12 Jun 2020 01:36:54 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2069.outbound.protection.outlook.com [40.107.20.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B26B3A0DE9 for <emu@ietf.org>; Fri, 12 Jun 2020 01:36:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TS5DAXiKwtxFt0UeTSDPmvR15bNHBymafYLjDr4c2r4=; b=THRvKaD7/RIKyw6S1vIimHYOyT27pYkZX4VhvDi06yZApJUc216FDSYoWb/3tN/qzyRJ6IF7OErVI1DgflYxzmZYiaRc3d9+5GzwjZUyxI8Yj/i7czz/oqTKk6g4ydFA2DPlViN/Ms+PpSVgcgoktfr8LRS0Kfzt8IMStm39+L8=
Received: from AM6P193CA0142.EURP193.PROD.OUTLOOK.COM (2603:10a6:209:85::47) by AM0PR08MB4209.eurprd08.prod.outlook.com (2603:10a6:208:10c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Fri, 12 Jun 2020 08:36:51 +0000
Received: from VE1EUR03FT030.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:85:cafe::aa) by AM6P193CA0142.outlook.office365.com (2603:10a6:209:85::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.19 via Frontend Transport; Fri, 12 Jun 2020 08:36:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT030.mail.protection.outlook.com (10.152.18.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Fri, 12 Jun 2020 08:36:51 +0000
Received: ("Tessian outbound 4f5776643448:v59"); Fri, 12 Jun 2020 08:36:51 +0000
X-CR-MTA-TID: 64aa7808
Received: from 61483ea47525.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3FEBF553-9C0B-44F6-BCCC-854CBC2E3B99.1; Fri, 12 Jun 2020 08:36:46 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 61483ea47525.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 12 Jun 2020 08:36:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GudmWueUF+qyoiWR5ZW0/9wF+3UXh3dz6xDhIyBK/5F9fvrwKBtI9/0X+wqtZn0RdQw+zBx95aowru6x5BrOQaKvyktiRy36u5gE2QCq07v4JmEmsQsgGGlmanfoYM8miMncLpSw+tB0A6fvT/W44Cqcd7qiVTtBIG08zayQRfbOg5e+cHxzf8OlQqqR7/yFgOVYeQ3os1C/AFj+bXGcDT2SaKE2iOcAjTqbzKuMI7enAdUUwbeAIxzVZPfs4Ktmi4/C/H5Yx7cnZQXgASO4DDdk473UqeHis83daTUE3TxDNfnOwhdSsIv7ZiruEsbwnqSChQN8YnkYAkIAmG009w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TS5DAXiKwtxFt0UeTSDPmvR15bNHBymafYLjDr4c2r4=; b=mHaQhvoEpYRpdoNOSJgCoj9W1zeZ18mue/chKU3cGc7e35iUev+Z97Y227hFmLhJ4bxWCBMUMWSlVzOxIW96h/FND4si4OIqD3y3x/xYOJ1pHcYfdM55EeuTFO/K8P9kDCAzbuUKOCpsa5uru1I6tMwEpmt7fRrd2U67LwDVeeO8dkfnY4maGlOF8KnsEh3Oi0jK1C7+t0k6KfSy9lxkKi5frJET6pG68/3hRvBn3aKCNULmewKsNI+40mbj3q3swddI5sc01mPg+EXbCRcca+znAF0KRDF2PoEeylHHmnj392S3X8arzCGQHjqfjlqXzRpLotAPIA76zaGiA28iNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TS5DAXiKwtxFt0UeTSDPmvR15bNHBymafYLjDr4c2r4=; b=THRvKaD7/RIKyw6S1vIimHYOyT27pYkZX4VhvDi06yZApJUc216FDSYoWb/3tN/qzyRJ6IF7OErVI1DgflYxzmZYiaRc3d9+5GzwjZUyxI8Yj/i7czz/oqTKk6g4ydFA2DPlViN/Ms+PpSVgcgoktfr8LRS0Kfzt8IMStm39+L8=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB4209.eurprd08.prod.outlook.com (2603:10a6:208:10c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Fri, 12 Jun 2020 08:36:44 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3088.023; Fri, 12 Jun 2020 08:36:44 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: Commitment Message in draft-ietf-emu-eap-tls13
Thread-Index: AdZAkc+cCh243U45Rdqk3n8/SPrXVQ==
Date: Fri, 12 Jun 2020 08:36:43 +0000
Message-ID: <AM0PR08MB37162AE5F0175B95A237B31EFA810@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: c2d67adf-be6a-4723-adde-9ecfa121d2ef.0
x-checkrecipientchecked: true
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [156.67.194.193]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 158c9570-9305-46ea-665f-08d80eabc0f3
x-ms-traffictypediagnostic: AM0PR08MB4209:
X-Microsoft-Antispam-PRVS: <AM0PR08MB4209F8A75B294EFCA00C5265FA810@AM0PR08MB4209.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 0432A04947
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: bym2vYZLTvQnxI7IlrgADnp+v9mG26TKiz0Ei+Tf5TVWotdKytIIkLc1QSfJb1I4fc+BwB83IMCdKg3oYw5JQbaenOZ8RYfUg/9i80SqkQy7Kxwx4BMXvuU/7fAM7Ut8Gs7sUCjQlAV/8N0jwXx9sJlkJje51huz1+xoCCwr7dsXgXHfXKFZk63n1bQj2/084lfSrAangNXB5+KlfNtuPMdhiRKIia8eONBULWB1/fwTjEe9LDlbqVlXVNOyoT/NNANyyhnWAMIKuG6DB/dvikg0Ue8jlU5VO1AESL9KwGEKee4dw8Won5w462hue3rJo1O8qqslya8o+Y21DenzqA==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(346002)(366004)(136003)(396003)(66476007)(7696005)(316002)(15650500001)(8936002)(26005)(2906002)(6506007)(8676002)(33656002)(478600001)(66946007)(66556008)(83380400001)(64756008)(5660300002)(71200400001)(76116006)(66446008)(55016002)(186003)(9686003)(52536014)(18074004)(86362001)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: g2G/Cv5k+5ZD0N+cmrxjbWrk92apNkf9WWO+diHRG6mf8LO5yNMTgrPI4r5al4hjHY/5jWxhR6qprbBAtQqrewv4hKSbfevT0P1wABRQqk0OJLoHBfu+CCoGN/5wiTkIAbS78flc7XvGh0BeeH4pTL/wv5t4NydcLf8q6M1IBa8mrBziSCRjvpTAJwAlRUBP6IFQ3X7qvnfSqbDrI1B157geOPDem9uqikhFr71x2Ht68Lq1QYgqZLAvz8sz/l9VPJe9SLguyKDe4fggJrNEiOZbI7eOguuZ2shPtrNlCdZ9CfqdEVwz9LHc069v6+CaMf70CBfZ3ywiNma5Bzihd2fB+8FyRHsyIdjTkCQ1DXWdM3+/SBAcYatKlKtewMrVLA66z572qG2D9S3MqIPmdvB/qvocttYcbbMoC2dF2nSdL8WzdB9JqhOtdvuPW3PZBsb9TrWVJy3ibO7cc9XIYYRMaibGmMNJK87rvK5yJbeFOJdoylj29Qzr6bruXvAc
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB37162AE5F0175B95A237B31EFA810AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4209
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT030.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(346002)(136003)(396003)(46966005)(36906005)(336012)(7696005)(316002)(15650500001)(8936002)(26005)(2906002)(6506007)(8676002)(33656002)(478600001)(70586007)(83380400001)(70206006)(82740400003)(47076004)(5660300002)(81166007)(82310400002)(55016002)(186003)(9686003)(52536014)(356005)(18074004)(86362001)(6916009); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 15a5ed25-c28c-48f5-ec8b-08d80eabbcb3
X-Forefront-PRVS: 0432A04947
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: VqYJzLUcEMJCb7IXUXhAg8WfelBqdaEEu0gbNLw6R+J5G+jtzQImxAzB2GhRdxGY/6Ef+Hcl1fMt5OQ5Pjrv4r8GEU8HuG1/ilOTlfjJ+QckJt9EXMK5t+ykoUnthW2og+DDOYQeLdr9RzzbffB1lp1eWPfw4QgDJWpSpJqUfZ+/C9wrrQrGT6gZHwX4vA6m1bAEyP/JLgvAs2paRRbpSK9LI7Ix4yRr881W/z+6+42dGWkW2oGGCLILvaqSw3KwIGknE6bQ1sS24dQFUKxkHABhRnsg8wLVX7cj4OxbRrdQX5l9Jy2ClEPFuh0inRs3C1pKgh4/c0CB3giE4OAcu0PNDge6cDwJmeEnhJxuhtl24CzlGWul/jDBRDjPuhHPlY95erlo75Uq7HbioXZqnA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Jun 2020 08:36:51.1200 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 158c9570-9305-46ea-665f-08d80eabc0f3
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4209
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/o2KGD4hox-znRr_4fYzg3ssozUo>
Subject: [Emu] Commitment Message in draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2020 08:36:57 -0000
Hi all,
This has probably been discussed extensively in the EMU group. I am sorry to bring it up again but I believe this is a bad design decision. I raised it in my short review just sent to the list but I believe it is worthwhile to point it out separately.
draft-ietf-emu-eap-tls13 introduces a new message to EAP-TLS, namely the Commitment Message. This requires extra code in an implementation because the normal behavior would be to run a TLS stack and then send encrypted data.
EAP-TLS does, however, not send application data*. This message changes this. Not only does it not send encrypted application data it requires an implementation to transmit a plaintext application data record after the application traffic secret has been created and before that application traffic secret is used to protect post handshake messages. This will make it difficult to re-use an off-the-shelf TLS 1.3 stack.
There is very little motivation about this message other than
"
When an EAP server has sent its last handshake message (Finished or a
Post-Handshake), it commits to not sending any more handshake
messages by sending a Commitment Message.
"
I might miss something important here but why cannot the EAP-Success or EAP-Failure serve that purpose?
Here are two examples to explain what I mean:
1. Failed exchange
EAP Peer EAP Server
EAP-Request/
<-------- Identity
EAP-Response/
Identity (Privacy-Friendly) -------->
EAP-Request/
EAP-Type=EAP-TLS
<-------- (TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS ClientHello) -------->
EAP-Request/
EAP-Type=EAP-TLS
(TLS ServerHello,
TLS EncryptedExtensions,
TLS CertificateRequest,
TLS Certificate,
TLS CertificateVerify,
TLS Finished,
<-------- Commitment Message)
EAP-Response/
EAP-Type=EAP-TLS
(TLS Certificate,
TLS CertificateVerify,
TLS Finished) -------->
EAP-Request/
EAP-Type=EAP-TLS
<-------- (TLS Fatal Alert)
EAP-Response/
EAP-Type=EAP-TLS -------->
<-------- EAP-Failure
1. Successful Exchange with Post-Handshake NewSession Ticket
EAP Peer EAP Server
EAP-Request/
<-------- Identity
EAP-Response/
Identity (Privacy-Friendly) -------->
EAP-Request/
EAP-Type=EAP-TLS
<-------- (TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS ClientHello) -------->
EAP-Request/
EAP-Type=EAP-TLS
(TLS ServerHello,
TLS EncryptedExtensions,
TLS CertificateRequest,
TLS Certificate,
TLS CertificateVerify,
<-------- TLS Finished)
EAP-Response/
EAP-Type=EAP-TLS
(TLS Certificate,
TLS CertificateVerify,
TLS Finished) -------->
EAP-Request/
EAP-Type=EAP-TLS
(TLS NewSessionTicket,
<-------- Commitment Message)
EAP-Response/
EAP-Type=EAP-TLS -------->
<-------- EAP-Success
Ciao
Hannes
(*): FWIW Post handshake messages are protected with the application traffic secrets.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Emu] Commitment Message in draft-ietf-emu-eap-tl… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Mohit Sethi M
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Mohit Sethi M
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Mohit Sethi M