Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)

Mohit Sethi M <mohit.m.sethi@ericsson.com> Thu, 08 July 2021 05:31 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A35C3A0F46 for <emu@ietfa.amsl.com>; Wed, 7 Jul 2021 22:31:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.635
X-Spam-Level:
X-Spam-Status: No, score=-2.635 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8dGdY7N1b-O for <emu@ietfa.amsl.com>; Wed, 7 Jul 2021 22:31:33 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10057.outbound.protection.outlook.com [40.107.1.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B78E33A0F3D for <emu@ietf.org>; Wed, 7 Jul 2021 22:31:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RlLnAiSPklElydX+4mN8ixXKf6bCX+Uvp194QHdBZLW/3BddhfQeEkktHyj7o8vit9QNJ25sgKXNPqIucOEK/KB2Dsfx56AT6RGgxK6vCsTKMvq4MMOmDKBgcAfC8+PlEzWMiQec9I1CGBW5xs7uL0py9prNVwbN3+cehF/8j5vUgrx5tsM4HFK6qJwwNWtqQSk1SLIyLhclnHRq1ZNjBhNglLuI+HMwEM8/WqxEvjVVnVY6/v9V4AWJfplxmE8bm3C6JQHtg70QXe5pZ2YFOB/jSO1Q//W6ycGu3uZP3Dk88ysbuVgS+duNa576EvQPDyCIrtLBmwYp73X0W1xf/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dm5AQieCjnHCXmDRDF3Fhj8zbMsbqWyBlL6k83TkH1k=; b=iOQxLX4yf2ppCwNoRjmFeDotGjMNAGjfIenXrQ8M8drWFgwWRu5wPtSE1Fqnl9GvEWIUJ/9QSlkbWV54Uj7lGOCOiJ7hYQvVvUk10d1T0VuNjjjaUbCKJ5cp1T1dtU/hpuGYfblxYYqiy+MBYsEKmVDzTr341qUQ3eliphEYiRZWRVOWEidCr7GFgleTLtftUy7NSjYsjpYCYz+FNhRCwoEQ7HiRzDhPEVwuFk4AOMPcS5fsdq9wQhcd6kpLrTKx3SiXrXsLqTN5lLTw9MMEdfLUyyxAC5Mqn65Rg+8NVDe+lE0x/yZA00gu1+evmQL66AMBjChuIG12/Y6cK+lfCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dm5AQieCjnHCXmDRDF3Fhj8zbMsbqWyBlL6k83TkH1k=; b=M8AKU1YnBT9FC0oOCgg3h6lkvOBhJ1EuvFBo/ScNIAdOjMrNK7fHy9Jq4l0qwB1bkvxkwFe6KLhayRW+ujKkw/qhyu3/0k1Z0aPcxs4h/VFKl71jOqlbqIy9f1X4p5wvrCJx9/ARhtq5obcNimcU2B93RBmXNiGjtWrmYOP9RfI=
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com (2603:10a6:7:37::31) by HE1PR0701MB3051.eurprd07.prod.outlook.com (2603:10a6:3:57::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.17; Thu, 8 Jul 2021 05:31:29 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::c04b:9f4f:3494:b84c]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::c04b:9f4f:3494:b84c%7]) with mapi id 15.20.4308.020; Thu, 8 Jul 2021 05:31:28 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Joseph Salowey <joe@salowey.net>, Oleg Pekar <oleg.pekar.2017@gmail.com>
CC: EMU WG <emu@ietf.org>
Thread-Topic: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)
Thread-Index: AQHXc7qAvahsauFBXUGVnrcDLvdgaA==
Date: Thu, 8 Jul 2021 05:31:28 +0000
Message-ID: <2c67a3b5-de25-cd3e-5b7c-e01e11a05ab1@ericsson.com>
References: <CAOgPGoDX9HdmgvmnWz_xUTqXMM7pd4_T9W3opFR77ce8CNWdQQ@mail.gmail.com> <CABXxEz9GSgGof6t_3w3AngH6-FrMbKzDGKpDS90-N2gtmgqgnA@mail.gmail.com> <CAOgPGoBLb-70jynH7o26nyF4T=+ZcCk6GMb6zyXk6E8+erTjqQ@mail.gmail.com> <CAOgPGoADC_z4v2pUOAXC+HW1-P_OOuLOL5zR9tBjTCXXV7-22A@mail.gmail.com>
In-Reply-To: <CAOgPGoADC_z4v2pUOAXC+HW1-P_OOuLOL5zR9tBjTCXXV7-22A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
authentication-results: salowey.net; dkim=none (message not signed) header.d=none;salowey.net; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 411b37c1-961b-4397-298f-08d941d1a319
x-ms-traffictypediagnostic: HE1PR0701MB3051:
x-microsoft-antispam-prvs: <HE1PR0701MB30511A90A6C458D06E6B5D3DD0199@HE1PR0701MB3051.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CNOXGEI+x/BHbD+JR2e4dApK93fdYW3FCJdj22G4s/cR7KYBNw6UANz3hMSJikGnsKXULYduzc8ubdM/iCH/4pq7DhKgD6i2nTkIlF1fPrvhrJjVBWogkw/lzTrfCzti+7MiipuYaWtZ2t3Kq5JA2ZRqgzBn8H/Xho0VsNXAe3OL8nufro3kPJDMczcjRc8hC++M2S3o4ULvyt8WQqzc74/U+0BosVg7RR8B4sDPky3pCor2yIVG/fFDocYPpE01+033SNmdWreT5qtUNdB0XDpzEBZ619zz+awERKpcHVBYnLbpdMH2bbiXSP0/K6fdyNGpwDV+9VG5S4cSBprvPYGxMmxiZdFs1NJUOPmY8wxNP5F2WE4tn76UTihnGASwE/tqw37Ze3NKl+eajPQjLzqMV4AzQWwf7sJ1C3LdM4W8Y7X1jNQSEHX7wAoJZlz4fHKbFX9N50WQBHzcMOAHOncgntWL6TGF0I9pT583gMrHBJQ0rVuU8StRwVsS/dOC1cdDLGj0crM5mGMAvEIgX7nnS5E905tsdujqw+vYMPrUiSyhkAFq2QEqeGWmoSSGA1jiGdSASSb8U9MI8IpsGlNXwqx0G5BNAJFCDSgUTmaCaWlTO/xXpD5eVZJBkO+WMIk8aJW/BwWhhRwXUXOO0g83XU9KWA75g7DUv0uGJGTsA8tx2vhkdzRwc83NwJUhw7CTDwzkDNsexIyyEQHLU6Ev5N4knLdrGhv20mxszUn/htVbqKDL11oC9L2alWxbvh9HHz97AcQhS7vGFNnb0iUWPpI/kgwuB1QF8vG91vvmUvli8ADbhyXhK4pdzjVDW0V9R4EAkZys6J1kO80rLm1F/DvlD3pAdMEBAzzgDd4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(376002)(136003)(396003)(39860400002)(4326008)(31686004)(966005)(8936002)(66446008)(76116006)(186003)(53546011)(478600001)(8676002)(316002)(38100700002)(6506007)(31696002)(66946007)(110136005)(71200400001)(6512007)(122000001)(6486002)(36756003)(166002)(2906002)(66476007)(2616005)(64756008)(83380400001)(66556008)(5660300002)(86362001)(43740500002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?emM2MG04dTluNXNTenUyR29SVnF6T1lFd0FZWDNhSXN3YVViR1lUd3F0bm5m?= =?utf-8?B?aWk4TFhocU12eGhxREhVMm9TSURodW92Z29JbjhSeE5sa3RYQXFBeTMrZTZ1?= =?utf-8?B?cDRnU3JrYTNheDRuZk5kM29DQUJRM2k5VTZ1UnZtUWJFUjBjM1FZMDE3RHcr?= =?utf-8?B?R1V1U0N4clJiTGJIb05MU3pFWUVoQjBoczVORnR6TUw0R0M2QzhYUTdKbDhG?= =?utf-8?B?WjUreEJLNEJLdVAzNWE3dkI3WFZiRVZyNk1DWFpUOEt4S0gzcTF2eFJWVHlL?= =?utf-8?B?Tm9OYXhsQkNuU2VSaGM1VFNPWlkybENGSWxOWm5mU1ROY1huL3M1ZUp0S0cy?= =?utf-8?B?anBtY3VsaVNBRzNkdVpZK1k5ZUFESXpKR1I1WHhTV1BCMWV6WHgwNzBLcXM2?= =?utf-8?B?Q01ZeDJJZTJMREFpdmYzSjJmeEdYeTRLN1VDaENINFQ4bFZLRDNFSmNOVXFh?= =?utf-8?B?YitGcVVZNk5zWnpQMTgrUkg4eUxEQkJrY3N5RG96VGMvR1dxdHlIUTNnZXZD?= =?utf-8?B?MlRzMFNHWGw3eVo1VFNsRjZvSG5Gc1Q2NnZoMlBMYThSOWlzOUZ5SUdMd09w?= =?utf-8?B?cjlTYUtCNkt5OTdMZVM2Q3dBdnFwd3lqdjFCbXFGNHZNbzZjRjVmbUoxNUZx?= =?utf-8?B?OE44WGFFdzA0dFlkbURscENEeWZRVXdZZW02M3JxRGU4S3RBcDB2dWo5NVp3?= =?utf-8?B?TjFOREZJZ1NwVmRLRG1SbWtjYzNKWjA4Nyt0VW1jZGJTZlZ1OWJzNGZSU2s4?= =?utf-8?B?ZXAzN2h5VXNFanhkZE5pb044ZXh2UGM3TFN1RUtIa205R2xMRzRiNU40MmRE?= =?utf-8?B?SUdwL2RvYUdrb2RpMnptajVPeHpyVlR2ZnNUeFlkeG13VGF1bVVndTlDZm9h?= =?utf-8?B?LzNDcitPbGQrbDZIZXp4TDF6ZEl0bjZKQytlTlR3SkZaZUJDVWpGRDlOUXFF?= =?utf-8?B?QXIyMnlMQUZOc21LdHNLa1psQ2NOTFEzRzFhbHJISnlXMXRiVGd6c2l4dGRv?= =?utf-8?B?eGFONXE5SHNjTHVTaUNHeHI0QXB3NVkrYyt4V1Zjdm51N1FlQWptTnZWWmc5?= =?utf-8?B?cnEzcHJCZ2VteGI0SkN5RUhZZVRGV1NSVEltYyt1bDdnRHBsUGhpNVJmWkYw?= =?utf-8?B?YVVxUmt6NUwxaFFBZGN3VG5PcnZBMEVmYURWV2RoK0dEK0JBS3dsdkVnajFy?= =?utf-8?B?QWxGbEN5dFJwMlByY2ptVk9oOXFSMjZDeHNKUUU2Lzd1VGZNQ21GZUx5Zzd0?= =?utf-8?B?RVBMTjFDQi9lREZBMkFtUFFzNG9IdHQ3YkNNaTVFZ1B1clhQTEk5OXBXblJo?= =?utf-8?B?dnc4cmZpRGJFb3MyNms5NkI0MDkvR2V6WVZDdFJMNG13aUNZZm5nYXdacWRE?= =?utf-8?B?dFBjQjFhYmgxVlBUVFdkbWI1K1JGNC9WRUVYT3FmMEdZQUFKc0IrRGp4bUlp?= =?utf-8?B?VytwK0tyNFQ1MjVFOFMrZnd2b0JEanFHV3o1OEFNL1FwS1ZocW5QMS80R2t3?= =?utf-8?B?ME0wM0NKWkd1MDVkeGdVM1JiOUNjdllZbjZtaDQzcGlsNVlGV3hBMXpjc3Rj?= =?utf-8?B?TU41Q3Uva3lPL3o4S3hUajd5a1djWS9tN3JkQS85TnF0dXlJRFUvODR6QlhB?= =?utf-8?B?TWs3bGd0T0ZuMkRxL3gwME9UbWxBblAwdG9rVjR3RWtWbThJWlNuQVBKMTh5?= =?utf-8?B?TjM5TExLWWVGK3pVbDZ2VnB6N0d2bGRwVDhMeVMzL1krNUpTYnBPcHVxNmpr?= =?utf-8?B?d0xEMmx1MU4rYis4c282VWRKQVdxd0F2TWtBUWtIVnhYZGszZURZRWgwOEF1?= =?utf-8?Q?61q7AV0PGRVUeJ6ZyoX0o4oNjRmOTTVFxxpNE=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_2c67a3b5de25cd3e5b7ce01e11a05ab1ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 411b37c1-961b-4397-298f-08d941d1a319
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2021 05:31:28.8582 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EBwrLFWAorQlLVvevDd/6JAWgM3vvGywqsgF+YzmQ0VmhAhRy/AxJu+FGp0ZrL6z0WpD/XHF+AkvTvfwLt56ocxpSMR2XPOjYrM82yQ6gkY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB3051
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/eJpnrBxZSFfEt8K6Kn1bS3df8AU>
Subject: Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jul 2021 05:31:39 -0000

Hi Oleg, Joe, all,

On 7/8/21 8:06 AM, Joseph Salowey wrote:


On Tue, Jul 6, 2021 at 10:08 PM Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote:


On Mon, Jun 28, 2021 at 8:11 AM Oleg Pekar <oleg.pekar.2017@gmail.com<mailto:oleg.pekar.2017@gmail.com>> wrote:
I still see unclearness in Section "2.2. Identity Verification", I'm trying to look from the implementer's perspective.

1) "Since EAP-TLS deployments may use more than one EAP
   server, each with a different certificate, EAP peer implementations
   SHOULD allow for the configuration of a unique trusted root (CA
   certificate) to authenticate the server certificate and one or more
   server names to match against the SubjectAltName (SAN) extension in
   the server certificate.  To simplify name matching, an EAP-TLS
   deployment can assign a name to represent an authorized EAP server
   and EAP Server certificates can include this name in the list of SANs
   for each certificate that represents an EAP-TLS server."

--- question: Should the server name match *any* of SAN extensions in the server certificate? If so - then suggest to say this explicitly.


[Joe] DOes adding the following sentence help?

"If any of the configured names match any of the names in the SAN extension then the name check passes."
This makes sense. I will update the draft in github.


[Joe] yes the behavior is to match any.

2) "If server
   name matching is not used, then peers may end up trusting servers for
   EAP authentication that are not intended to be EAP servers for the
   network."

--- question: It looks like a warning, right? Suggest to make it more explicit. Something like "If server name matching is not used, then it essentially decreases the level of security of peer's authentication since the peer may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network."


[Joe] Thanks, I think that is better wording.

I find the text a little hard to parse. I am not sure how comfortable we are with defining "levels" of security. Also, "peer's authentication" might confuse the reader since we are talking about server name matching. I don't really have a better suggestion. Perhaps something along the lines: .... it essentially degrades the peer's confidence that the EAP server with which it is interacting is authoritative for the given network....??

--Mohit


Regards,
Oleg

On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote:
This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13.  Please review the draft, focus on the changes since the last WGLC and submit your comments to the list by July 8, 2021.

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/

There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17

A diff from the previous WGLC version (-15):
https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17

Thanks,

Joe
_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu



_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu