IETF Logo Mail Archive

Re: [Emu] draft-ietf-emu-eaptlscert-04

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 18 June 2020 14:28 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 211543A113C for <emu@ietfa.amsl.com>; Thu, 18 Jun 2020 07:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=pKFjY+oy; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=pKFjY+oy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgSP4cBipyf5 for <emu@ietfa.amsl.com>; Thu, 18 Jun 2020 07:28:47 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130052.outbound.protection.outlook.com [40.107.13.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ED063A1139 for <emu@ietf.org>; Thu, 18 Jun 2020 07:28:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qWX6BY/+SeTDGfSCH9ZvuL5hYugrzpUZ83TmmBp8Wfc=; b=pKFjY+oyiQi2Op4XT1RKhnMQIs6SUJBXRIXzSZ6E1QmwrnBwZWw4j4cjbVprTmJvvr0DxDCI5xkejkLWQ0LyXfU7Kzj/DWgJgacwU4U65aDB0/qx0slWPw93J74Du+4myjp3TvoF1/pydXI5SaeF+UVHAGDdErRuCLHkjKNzCLg=
Received: from AM7PR04CA0003.eurprd04.prod.outlook.com (2603:10a6:20b:110::13) by VI1PR0801MB1662.eurprd08.prod.outlook.com (2603:10a6:800:52::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.20; Thu, 18 Jun 2020 14:28:43 +0000
Received: from VE1EUR03FT010.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:110:cafe::49) by AM7PR04CA0003.outlook.office365.com (2603:10a6:20b:110::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.22 via Frontend Transport; Thu, 18 Jun 2020 14:28:43 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT010.mail.protection.outlook.com (10.152.18.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.22 via Frontend Transport; Thu, 18 Jun 2020 14:28:42 +0000
Received: ("Tessian outbound cdcc6148d2f4:v59"); Thu, 18 Jun 2020 14:28:42 +0000
X-CR-MTA-TID: 64aa7808
Received: from f1a8a6b7707f.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C9EA34EB-E6FB-4FF6-BAF4-00B92E3F7541.1; Thu, 18 Jun 2020 14:28:37 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f1a8a6b7707f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 18 Jun 2020 14:28:37 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P/SiIIjmD2XCbYI2pDfUcDqagkUrweMousohGWFmAirEZwgMFLLeq5P7kz2g9T9bmtDJpNOY50kg6yu5M6imyBbwVptrzF4Hk+uafU80CCgKv4faXRIFFFKGhqZsTOTavFG+Tmd42cdcXiSr9DKu+JVdYqdp9LDx8k+xYhtZfT/yIKFGcinK3XXUfyax1F/1gf0eTHdwrju9zp1AdFAQrRV7tAxyiwUsiJzgdrJjC2SuIhhlKeyb98U6Ajak0SZ+ZrXxolrJKAWpHOToT+zELECYSX7fV4Wo3tfp3TzwZ270VWEA/QJyMEVgSXFSP6lwFRRh4uiBGO7MTPL2hdC3ZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qWX6BY/+SeTDGfSCH9ZvuL5hYugrzpUZ83TmmBp8Wfc=; b=LClM/Ma9fzfS0aZvlY2dvrUmLtTEU66UEpbiyi1bsZCDVB2rvMjBRgSZw8UTdQX5J8rZLtezU4rEAqtX9bffG6ffS5hAbzCRlGXrDDr4N8SrCG9JhjCb8O1/LCPxyygQPCVi/jmeqX9YwLymnm4A/eDuXjhQKZylZiayC7qTplnBwu+J1DwP356QI0oaHDYQDTXY1kfxsfai2Ie7H9u/B6rZ8r0JIznNnTsnDVs4fOQZu1azSHc3hkIi4ciaVKcJq9m6gaJTXC+wBkykqt/wsFSjzIePKCiUf61tVGVMlQxvkWlbPcjA2AXIzFyLdawvHfOO6+56v5oZgjKxZkRCXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qWX6BY/+SeTDGfSCH9ZvuL5hYugrzpUZ83TmmBp8Wfc=; b=pKFjY+oyiQi2Op4XT1RKhnMQIs6SUJBXRIXzSZ6E1QmwrnBwZWw4j4cjbVprTmJvvr0DxDCI5xkejkLWQ0LyXfU7Kzj/DWgJgacwU4U65aDB0/qx0slWPw93J74Du+4myjp3TvoF1/pydXI5SaeF+UVHAGDdErRuCLHkjKNzCLg=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB4529.eurprd08.prod.outlook.com (2603:10a6:208:148::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.21; Thu, 18 Jun 2020 14:28:35 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3109.021; Thu, 18 Jun 2020 14:28:35 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] draft-ietf-emu-eaptlscert-04
Thread-Index: AdY/A+a7cI/+21ekRcieJ5sNz2jGnwD88kyAAKFB8sA=
Date: Thu, 18 Jun 2020 14:28:35 +0000
Message-ID: <AM0PR08MB37163BE604A2DFD4E1332DFEFA9B0@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB3716E7DA898FADADBA1A6AAAFA830@AM0PR08MB3716.eurprd08.prod.outlook.com> <f884fde2-516b-3570-4fa0-ebc6bd45c2ba@ericsson.com>
In-Reply-To: <f884fde2-516b-3570-4fa0-ebc6bd45c2ba@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: e92d2509-e2db-422d-9ff8-4d82859d9c4b.1
x-checkrecipientchecked: true
Authentication-Results-Original: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.122.58]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 5c47e7c6-6d6e-418f-97aa-08d81393e6f7
x-ms-traffictypediagnostic: AM0PR08MB4529:|VI1PR0801MB1662:
X-Microsoft-Antispam-PRVS: <VI1PR0801MB16620AA176DFD363A4B54F09FA9B0@VI1PR0801MB1662.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 0438F90F17
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: nYk4Z2kfx9Aktnfcj7+Ri0tdnupmxRBsgmhBlwFJi4TZhSZ0MJGOsvj0qYFKJosqag5vugQLT4KYqkR6njucdnj+QyAZJK0LzXSins+RZEbiEUZvAtExNtwgrEDBG5ADR6l4FIeIr08JjazIznycTxZx6evS3z6R9P+DXfNwff6g3YAgePCKQwYpKLdeXirdStzuyezdwyy6GFzyT9MHfhapU/6rzj5cSpYJ1zIXptWB/FJNB1qw0Qjdh1OjMCJh2+iVfpVkaDIkevDM3ykGoxQC6IDk7M/EfQNUi0VJ0mIGAVOZzyULYZDT1uNFwzKh8KOpYWVCUdOpxtyKB+gwi6d6bzQn6gzQsVOeDFt6cca+D+GzEXKqunSGOyt+oeTagf7sm6HYDZyuWJcU8CyNyw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(366004)(39860400002)(136003)(7696005)(316002)(76116006)(110136005)(53546011)(86362001)(6506007)(66476007)(83380400001)(186003)(26005)(66556008)(66946007)(64756008)(66446008)(71200400001)(8936002)(2906002)(8676002)(33656002)(55016002)(966005)(5660300002)(52536014)(9686003)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: n7lX22ERX5uuzBPaMAAl1oY4kiHEPpuqKnUvjnKvpj4rQI6T0IM3d/FFBi3vQUl1g8AR8nQfEiRAqXrRJTUQ6YCxFhZtMflALaThdK46H35JwIiEMKNOKJcQsNzjwNOfUulR7iI2bjuZKXTsogRnqJDqWyRV6dx44dXyqrJY61fXqfWW3/JFTes5DZEQSAQGm1ex+kIsBtcJarB8Sw9YpYR5BAIOpdllOkLR2i8G4FqYDQAePWiyP40ZpvvCtKT6oNdVJmxFm8/GA/7JOF7ggmPJniQMsEG1jBs6Ta7E0CNcR6tQJwFqg+U/xQYMdK92KWWgo0koV0AoD/TzFp+D0cp7S57TkX+wCDPNb9Wru/szWa+1/saFsPsYaeUAOEn+1PLh4rRfTmRLinEuWCNhRNDIzPr11RrDxoIJXwr/e0REv41JsXgEnirus/pGY0MJAeCGBDCFxH8Se/mAMsgEYosRttOPSIaGhBFjZzO5WSk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4529
Original-Authentication-Results: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT010.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(39860400002)(346002)(396003)(46966005)(36906005)(70206006)(316002)(8936002)(82310400002)(33656002)(9686003)(70586007)(26005)(5660300002)(186003)(83380400001)(110136005)(966005)(336012)(47076004)(82740400003)(7696005)(52536014)(81166007)(8676002)(356005)(2906002)(53546011)(6506007)(478600001)(86362001)(55016002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 3997391b-d8b4-4981-d7e4-08d81393e2d0
X-Forefront-PRVS: 0438F90F17
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ddmL3T1Amy4jB92xT1ADXhdlevOCvKR0ic4+J0kJuDNOpzxBNjo5jT93wA4jIS8VIuFdvIf2hB1xhWi1eX/zFidXIajz7ola9iTQidsKxbXcy8EmP2YuI2VdOfBcC/LRMBxHG89gshMt0jAN0aPmuUqASWks/HykFDjf2Fa7nGENY00FQkGYvjbk5ZRslJJc903dYQ7Hf9zQEuTQAGeuJck9IVMyaMgeRVFW80l7OHQ+rjKn0f7qJVV051fZyBeQfw30gShJ1Rhyr373eJ0UKOSsaPmHWx8KCGBPge/eSGxFZJUrS7fm5c+Uhk0/7ea16AWgUNOh3CO5+ZraBeOBD03OcHSF0ZKx1OB7o61AQ0rVk3PBkokDAAk5O668JIeC+yfyxG+4HituL1PE4NOOXvrjN1QkzlkAHEKU7VCK/eEEbr7UtZn5q6s2iMYSoeXBLqPNTmzna3TbMwSXGQuEUkDFZYA50ragU6c5L4ojzEA=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2020 14:28:42.7893 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c47e7c6-6d6e-418f-97aa-08d81393e6f7
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1662
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ygJ1_2ihLvGNdqlQAGQtZVI-ng0>
Subject: Re: [Emu] draft-ietf-emu-eaptlscert-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 14:28:49 -0000

Thanks for the quick turn-over-time.

Looks good to me.

-----Original Message-----
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
Sent: Monday, June 15, 2020 11:31 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; emu@ietf.org
Subject: Re: [Emu] draft-ietf-emu-eaptlscert-04

Hi Hannes,

Thanks for the follow up. I have submitted a new version which should
address your concerns. Here is a diff for your convenience:
https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eaptlscert-05

Please see in-line for details.

I believe that the draft is now ready for publication.

--Mohit

On 6/10/20 12:02 PM, Hannes Tschofenig wrote:
> Thanks for the update.
>
> A few more minor comments on -04:
>
> Section 4.1:
>
> "TLS 1.3 [https://tools.ietf.org/html/rfc8446] requires implementations to support ECC."
>
> This is only true absent an application profile defining something else.
> The UTA group has just adopted a WG item that defines such a profile.
>
> Hence, I suggest to add the remark about the profile. Something like
>
> "In the absence of an application profile standard specifying
> otherwise, a TLS 1.3-compliant application must support ECC."
Done!
>
> 4.2.  Updating TLS and EAP-TLS Code
>
> Why are you calling the section "updating code"? The suggestion in 4.2.1 does not require code update and whether something requires a code update depends what you have in the code already. Maybe you just need to enable the feature.  Updating the code is also a negative aspect because you are likely going to update the code on a regular basis anyway to fix bugs and to support new algorithms. Luckily TLS has the extension negotiation built-in and hence you can detect and negotiate new features on the fly.
I agree that all code indeed should be updated to fix bugs and
vulnerabilities. However, updating applications and certificates is
certainly different from updating the underlying TLS library and EAP
implementation. Administrators in enterprise environments (where EAP-TLS
is widely used) have great control over when and how the server and
client updates are rolled out. The categorization in section 4 should
help administrators to decide how to avoid the fragmentation problem.
Whether it is issuing new certificates, updating the access points, or
updating the TLS and EAP-TLS implementation. Nonetheless, I have added
the following text: "This section discusses how the fragmentation
problem can be avoided by updating the underlying TLS or EAP-TLS
implementation. Note that in many cases the new feature may already be
implemented in the underlying library and simply needs to be taken into
use."
>
> 4.2.4.  Caching Certificates
>
> "The extension however necessitates a successful full handshake before any caching."
>
> This is not true. The spec defines a way to populate the cache by running a full handshake.
> However, you could also populate the cache by out-of-band means, for example by pre-distributing certs.
>
> The mechanism to re-run the handshake to populate the cache is, however, a safe fallback in case configuration changes and the pre-distributed certs become invalid. It is better to have a fallback.
>
> I thought I made that comment before.

You had raised this issue before and I had responded to you before. Here
is the response again:

Where does RFC 7924 (https://tools.ietf.org/html/rfc7924) talk about
populating the cache with an out-of-band mechanism? The text in Section
1 of RFC 7924 clearly states that:  "This specification defines a TLS
extension that allows a client and a server to exclude transmission
information cached in an earlier TLS handshake.". Notice the "earlier
TLS handshake" part. I certainly refuse to add or describe new
functionality which isn't discussed in the original RFC.

>
> 4.2.3.  Compact TLS 1.3
>
> You are still stating "This naturally means that cTLS is not interoperable with previous versions of the TLS protocol."
>
> cTLS is a compression of TLS, which means that you can fall-back to TLS, if the other peer does not support cTLS. As mentioned in my previous email, I don't understand why you are mentioning this aspect at all given that this document is about certificate size reduction.
I understand your desire of making cTLS look good. I am not sure how
hiding the information that cTLS doesn't interoperate with older
versions of TLS helps. Anyhow, I have removed that sentence since
progressing the draft at this is stage is more important than arguing
over one sentence.
>
> Raw Public Keys
>
> I wonder whether you should mention the possibility to use RPKs (https://tools.ietf.org/html/rfc7250) in Section 4.1.2 because those would be a fairly obvious choice in EAP-TLS given that we are talking about a nailed up connection between the EAP peer and the EAP server. This would obviously reduce the overhead associated with certificates considerably.

Added a new sub-section.

With this, I believe that all issues are resolved and the document is
ready for publication.

>
> Ciao
> Hannes
>
>
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email