Re: [Emu] RFC 7170 (TEAP) errata
Jouni Malinen <j@w1.fi> Tue, 23 July 2019 08:46 UTC
Return-Path: <j@w1.fi>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C6AB1200E7 for <emu@ietfa.amsl.com>; Tue, 23 Jul 2019 01:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcxnkXfXWQtD for <emu@ietfa.amsl.com>; Tue, 23 Jul 2019 01:46:28 -0700 (PDT)
Received: from li674-96.members.linode.com (mail.w1.fi [212.71.239.96]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 628E3120041 for <emu@ietf.org>; Tue, 23 Jul 2019 01:46:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by li674-96.members.linode.com (Postfix) with ESMTP id 6A41A11B78; Tue, 23 Jul 2019 08:46:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at w1.fi
Received: from li674-96.members.linode.com ([127.0.0.1]) by localhost (mail.w1.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh8oFLcS3z4m; Tue, 23 Jul 2019 08:46:23 +0000 (UTC)
Received: by jm (sSMTP sendmail emulation); Tue, 23 Jul 2019 11:46:21 +0300
Date: Tue, 23 Jul 2019 11:46:21 +0300
From: Jouni Malinen <j@w1.fi>
To: Joseph Salowey <joe@salowey.net>
Cc: Jouni Malinen <jkmalinen@gmail.com>, emu@ietf.org
Message-ID: <20190723084621.GA6611@w1.fi>
References: <CANe27jLO9eDA867X8hCHv_WRADN_txSp4xpRTxn2RpwS=yaquA@mail.gmail.com> <CAOgPGoBXrm0kGk4xsSen9ihCKRhVYgzPQR-H0C5AFtY9wChxqQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAOgPGoBXrm0kGk4xsSen9ihCKRhVYgzPQR-H0C5AFtY9wChxqQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/eMmXT6_Qj1bn1cS1RX3vTQtfIXQ>
Subject: Re: [Emu] RFC 7170 (TEAP) errata
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 08:46:30 -0000
On Mon, Jul 22, 2019 at 01:50:26PM -0400, Joseph Salowey wrote: > On Mon, Jul 1, 2019 at 4:11 PM Jouni Malinen <jkmalinen@gmail.com> wrote: > > (1) Crypto-Binding TLV format for the cases where the negotiated TLS > > cipher suite uses SHA256 (or SHA384, for that matter) instead of SHA-1 (and > > I'd hope all deployments of TEAP would be recent enough to avoid use of > > SHA-1..): > > https://www.rfc-editor.org/errata/eid5768 > > [Joe] I'd like to hear if anyone has an implementation, and how they > implemented on a cipher suite that is not SHA-1. My feeling is that it > would be better to make the TLV length variable with the hash length. > However, I do not see why truncating would work as well. For now, I ended up implementing this with truncation to 20 octets since it was a bit simpler to do. I have an implementation with support for SHA-1, SHA-256, and SHA-384; and not allowing MD5 at all to avoid questions about shorter than 20 octets and use of obsolete algorithms. That said, I think it would be better to make the Compound MAC fields to be of variable length (i.e., be based on the output length of the negotiated MAC algorithm) so that the full MAC value can be exchanged. This would mean the Crypto-Binding TLV length would need to be marked variable. I'm ready to change my implementation to do this as soon as there is some clear indication on that being the direction TEAP should go to. This is a straightforward change in the implementation, but I don't want to be moving back and forth on this before seeing some signs of consensus on the TEAP specification side. -- Jouni Malinen PGP id EFC895FA
- [Emu] RFC 7170 (TEAP) errata Jouni Malinen
- Re: [Emu] RFC 7170 (TEAP) errata Joseph Salowey
- Re: [Emu] RFC 7170 (TEAP) errata Joseph Salowey
- Re: [Emu] RFC 7170 (TEAP) errata Alan DeKok
- Re: [Emu] RFC 7170 (TEAP) errata Jouni Malinen
- Re: [Emu] RFC 7170 (TEAP) errata Jouni Malinen
- Re: [Emu] RFC 7170 (TEAP) errata Michael Richardson