IETF Logo Mail Archive

Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Mon, 01 February 2021 16:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868B13A1297 for <emu@ietfa.amsl.com>; Mon, 1 Feb 2021 08:09:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKfp0sZ--PTr for <emu@ietfa.amsl.com>; Mon, 1 Feb 2021 08:09:43 -0800 (PST)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CE193A1298 for <emu@ietf.org>; Mon, 1 Feb 2021 08:09:43 -0800 (PST)
Received: by mail-lj1-x22d.google.com with SMTP id s18so20274092ljg.7 for <emu@ietf.org>; Mon, 01 Feb 2021 08:09:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h8yKCaXD0t8g85S5qXia18usxz9/+wargLsk0+9rRTI=; b=QQR2pFNo9/7H/cpUgJwuUsD+WekY++BkXUbe+mosDkwpCw9jzZ5s7pWjptbn7c7M/T wYUa4thkcKjdjXSW7WjXBBEjBMWdjFx2qux4uVFQhYAb5RkEE2M1N4WVJ0sXOB86ICkr A1Z3GU+f363tlNsXazcSaS/ZozlPwK+4oZoLZEjsFB90bU/fia64l9f3h/DlQL2Tnv97 xHqU/6accNjzRhgcDehvFpm8IzCOJp4ZDTj9wwnrmYJBGdW8GqeYyn/WtxzB7m/+HJ/K sWcq/V5x0dEgnYKFwCu9SLVsuFT0L7lvhsm6XH6TvsA59ZsjgZALVq1jH0QKTQp5lJ0J mP5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h8yKCaXD0t8g85S5qXia18usxz9/+wargLsk0+9rRTI=; b=aYIYap9Vw6BrWaUsXAoNJ0Gsk1eOeOrqJkFQZy5jnQPbeLXaAsf+u7D8EMbrZ8BfrY 4My2t3m03Sae9QHKdNGlsC9KXs2Oq4e5e6ehhqzqtdOTSekIpbz5OfZgXjsjcuC9B89b RYV0IO9EgjkDOo3ax4yyebVGKneshC9mvEF/bu2In/Pw9tjhqI7m4Bk5ZIRatk56wMjm PoH3DlcMGRjAihTd3u4jNpnvMlQiWz9PNwGPsJwfVxPWBIHq/Okm8K6ftDLt9BzumJzP 5iUvOvqcORqQ4Z4j48ON9RA16e7S9kvtWcAoqJzBqk+U5g+DArlNupn9zjuX5NY3mhNp WALw==
X-Gm-Message-State: AOAM532ToY+v2wovEQGxGRjJBOz2//W5dLPp1uN8yT1FvNzfh8ZxIpjR hb73gJhUBv5roCWz4xWxDSwVW3+tTUNuc9sdc3CARQ==
X-Google-Smtp-Source: ABdhPJw/AEoKgMt+S4yreZFxnV0hQ2cQgwG+zk9anEaVHNBCyIYzmlwrlossOeo1Z568ZeIqV82n1qK2x59pD943jrQ=
X-Received: by 2002:a2e:7f04:: with SMTP id a4mr10339350ljd.3.1612195781464; Mon, 01 Feb 2021 08:09:41 -0800 (PST)
MIME-Version: 1.0
References: <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com> <ca4c526e-79a0-4fa7-abda-2b626795f068@www.fastmail.com> <3409F71E-4CE4-46BB-8079-BFBE9BE83C9A@deployingradius.com> <66157321-55DC-4831-8EF2-D75934D9024C@deployingradius.com> <20210129183220.GI21@kduck.mit.edu> <1A830492-3404-4BCC-844B-D7D950458BD9@deployingradius.com> <CABcZeBMAtmPfG0rctvO8UvnhPqY1etk=SxnonP_t6ysNxH7hVA@mail.gmail.com> <D6AAF668-86C8-4C5D-AF1E-B37F106A4D1C@deployingradius.com>
In-Reply-To: <D6AAF668-86C8-4C5D-AF1E-B37F106A4D1C@deployingradius.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 01 Feb 2021 08:09:04 -0800
Message-ID: <CABcZeBPES99+xo16=aSDJQbGpzM_Q+k-pWtg424Gu4UAcFbo9Q@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "<tls@ietf.org>" <tls@ietf.org>, Martin Thomson <mt@lowentropy.net>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dce82305ba489496"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fYsNaCSAqLi23fE1_MmUwYypZQw>
Subject: Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 16:09:46 -0000

On Mon, Feb 1, 2021 at 7:42 AM Alan DeKok <aland@deployingradius.com> wrote:

> On Feb 1, 2021, at 9:55 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> > Let's take the second case first. If the server is sending (or
> > potentially sending) post-handshake messages after the client's second
> > flight (e.g., after reading its certificate), then it can easily send
> > a close_notify after sending all of them. This will appear in the same
> > flight as the commitment message would have (because you can't send it
> > before the post-handshake messages) and avoid the need for an extra
> > round trip.
>
>   That use of CloseNotify would be before the server receives the client
> certificates.  It prevents the server from sending TLS alerts for
> certificate errors (expired, unknown CA, etc).  That would be an
> unmitigated disaster for deployments.
>

That's not what I'm proposing. I'm only talking about the case where the
server says this after flight (2).


  The CloseNotify *could* be sent after the server receives the client
> certs.  But that still means another full round of EAP, before the final
> EAP-Success.  So from that view, there's no difference between CloseNotify
> and an explicit commitment message.
>

Right. But close_notify is the message that more matches the TLS semantics.


> > The first case, where the commitment message is sent in 0.5-RTT,
> > is the interesting one. However, the server has no more information
> > after sending SFIN than it does sending EE, so I believe that the
> > easiest way to deal with this is with a TLS extension that says
> > "I do not send any post-handshake messages". This would still
> > leave the server free to send any relevant alerts in response to
> > the client's second flight.
>
>   Except that if the server likes the client cert, Figure 1 of draft-13
> shows the next packet is EAP-Success.  So the client has no *authenticated*
> way of telling that it has been authenticated.  Any party to the
> conversation could send a blank EAP-Success (which is 4 bytes of
> unauthenticated data).  And thus break EAP-TLS.
>

I fear we are talking past each other.

Ignoring the protocol mechanics, let's just talk about what signals you
think the client ought to want to receive. The two I am aware of are:

1. From the server's perspective, the TLS handshake is complete.
2. The server will not be sending any more handshake messages to the client.

When client authentication is being used, then for obvious reasons (1)
cannot be delivered prior to the server receiving and processing the
client's certificate. Agreed? Indeed, this seems like a problem with the
flow shown in Figure 1, because the server sends Commitment prior to
reading the client's cert.

ISTM that the relevant question is when one might want to receive (2).  In
particular, when would the client want to learn that the server will not
send any more handshake messages when the client has second flight
handshake messages still outstanding? Can you explain to me how this is
useful?

-Ekr


>   Alan DeKok.
>
>

v2.23.0 | Report a Bug | By Email