Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)
Oleg Pekar <oleg.pekar.2017@gmail.com> Mon, 28 June 2021 15:11 UTC
Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2803A0C9F for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 08:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfWoAQtoNfYe for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 08:11:22 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E31EF3A0CA9 for <emu@ietf.org>; Mon, 28 Jun 2021 08:11:21 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id b15so4362101iow.4 for <emu@ietf.org>; Mon, 28 Jun 2021 08:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fj0mCcY1sQkRSF41QSnqNmsvayJAXVdF0YaDy9ORfE4=; b=hckQN8eTbcLYpygnhi62+YatxzrkBabNNaElEPCaGLKMMri8UpsiWQIbgJyRdGOMRZ NRrcwAbNghbjcpsZRrJqvzPiUkcTmOSfJ7DwZktzHNxcAfLf4loHmYAkkM+5LmULemEd Ryu9iJ+B9RwirSoZQQG0OeKvgVc8mQVNBPY4BaC5JiaUpCcpiCc2KczcIvIFArzOAstA CIn/fuz8gjLE8gPOwX5frzn03/24zbSt7Z+J/scjMyKijOQx9T3IOJKG/VZRPemqpL5W 9p8A+lCghoUFtY5zDCEw6biAOfebHX74v7KSDzTc3GDK8uxj19No1/a886BNx3lHCoaX yn8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fj0mCcY1sQkRSF41QSnqNmsvayJAXVdF0YaDy9ORfE4=; b=SQ+57JL0rl3GmNjyzBhl8kzHVhhZN+DsAVNavmril5OND0YPNs7Dt3JrT7y8Z1Beca /jS5/eFzAjlnrDUGyzNDXox1dVyI7ahHCxh/Z6meR03HXVegSCulpXKYi0DFB/Jtp8nG 8/2tW8n3+hjDhz51wANUvSa/eL1kZbYwlecxQBcxMZYCtUcdsfsbVhDqZbXFGGhGwrN9 62ntF4in47FibiPPTZtjlc1UL/w6ggyTI6EgBU5wC2t9g1AYUYzTBcViSM3FclznXQ/Q zdhkOrv6/Y3SQvViUOVrBmle4h4aD+2KtW0LHY+JkW8wQOWxG7rMKTNpRoNRdgRcPBsY 9e/g==
X-Gm-Message-State: AOAM533S+OUmC+gSol5TETIi/mc74vGHthekepRmlk6NoYmiPpSHzoEe 8gdpUVrJdPiJeaJnInRkV4Q3wVkckw+EVV4qJEuBb3xgHVI=
X-Google-Smtp-Source: ABdhPJwAh9Rl34oz2eH2renzvgTg04vfpRUOzZZFzWANm4FsMkCsGBAB7rO4gfoEMDmgnNXnMCxrBcGYFnDl+XJ4aVE=
X-Received: by 2002:a02:2717:: with SMTP id g23mr75280jaa.66.1624893080716; Mon, 28 Jun 2021 08:11:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoDX9HdmgvmnWz_xUTqXMM7pd4_T9W3opFR77ce8CNWdQQ@mail.gmail.com>
In-Reply-To: <CAOgPGoDX9HdmgvmnWz_xUTqXMM7pd4_T9W3opFR77ce8CNWdQQ@mail.gmail.com>
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Mon, 28 Jun 2021 18:11:09 +0300
Message-ID: <CABXxEz9GSgGof6t_3w3AngH6-FrMbKzDGKpDS90-N2gtmgqgnA@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dfc71f05c5d4e6bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/eKZVnZlqXsnJIXOK9rdX8AzBnzU>
Subject: Re: [Emu] WG Last Call for Using EAP-TLS with TLS 1.3 (draft-ietf-emu-eap-tls13-17)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 15:11:27 -0000
I still see unclearness in Section "2.2. Identity Verification", I'm trying to look from the implementer's perspective. 1) "Since EAP-TLS deployments may use more than one EAP server, each with a different certificate, EAP peer implementations SHOULD allow for the configuration of a unique trusted root (CA certificate) to authenticate the server certificate and one or more server names to match against the SubjectAltName (SAN) extension in the server certificate. To simplify name matching, an EAP-TLS deployment can assign a name to represent an authorized EAP server and EAP Server certificates can include this name in the list of SANs for each certificate that represents an EAP-TLS server." --- question: Should the server name match *any* of SAN extensions in the server certificate? If so - then suggest to say this explicitly. 2) "If server name matching is not used, then peers may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network." --- question: It looks like a warning, right? Suggest to make it more explicit. Something like "If server name matching is not used, then it essentially decreases the level of security of peer's authentication since the peer may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network." Regards, Oleg On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <joe@salowey.net> wrote: > This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13. > Please review the draft, focus on the changes since the last WGLC and > submit your comments to the list by July 8, 2021. > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17 > > A diff from the previous WGLC version (-15): > > https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17 > > Thanks, > > Joe > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- [Emu] WG Last Call for Using EAP-TLS with TLS 1.3… Joseph Salowey
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Oleg Pekar
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Joseph Salowey
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Joseph Salowey
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Mohit Sethi M
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… tom.rixom
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Alan DeKok
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Joseph Salowey
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Oleg Pekar
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Joseph Salowey
- Re: [Emu] WG Last Call for Using EAP-TLS with TLS… Alan DeKok