Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13
Mohit Sethi M <mohit.m.sethi@ericsson.com> Tue, 16 June 2020 10:57 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5D483A14F6 for <emu@ietfa.amsl.com>; Tue, 16 Jun 2020 03:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 563u9iH9px6q for <emu@ietfa.amsl.com>; Tue, 16 Jun 2020 03:57:54 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2085.outbound.protection.outlook.com [40.107.20.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D39E3A14F2 for <emu@ietf.org>; Tue, 16 Jun 2020 03:57:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l9PczQDVnWk2VYlcy1U5unWCg/Al8qEOCU9Vgv97SCywqnRRYJwLN/kHTR4RJ1eZKln4AAW72UbxnkMpWP+4w9itCd4VUhuWykvk/ZBap+jYnfOZ2QApZfcebM7VdN0iAQ90283Z4Llk+4DgBQI1WdYZ1wQr7+fMZTrFgmVdpmOb/UAbwSrwOf4Wqqsylq0EKqoQ/u1+BcJ4tjhRtMyM1Gd26b8BKKp8aS4bD8U2gwwMCUaBnnq1j9/pHjPAZOKwaSyzVpP5I/7NGn+Zwd2knzB1mts0dTonAY+cY0wKMvhA12zwZFMLwVZV3aC55ZfV+qNyr51QC7ac/KF3WTl3Ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IwOVG8QG+iruNjuteVJXBTUnvo2qrfdfXLL7IwCmgEE=; b=PVFii166QrfgE3a4erOhRN9Qoj7V5R3+5Gjm7iamf3lwGkLSWK3HhkOI5livTlRZCKNz1rWRmp1AKpn+x4/Gyh9QkwaxQuBalyfViszWY0V5QRWJgQf2EFPgyIPJ6DShFRTtcZhxtoaf4SCHQWfqdZvMwRn2HrF2cdP26XR51w/5oOH+pc/ZVmKW5FcGUToWlxWlhGL2NDhlPzYt8tMlj+Lagjx3LP9RRnW40xeOZ+GinTZQlnU7hzV4ReLUHXH2LAPkfw8wrj5DM1HrUpEr4GfEt5iY6FZIScO8k9PKSp2+C2wgvrzoVAkaKWIbNPhSoeBZbtlyrWmUaV5okLP+6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IwOVG8QG+iruNjuteVJXBTUnvo2qrfdfXLL7IwCmgEE=; b=vCNUTO5a1l6H5Kdji2O2IoAHwRk0qXUj/Cp+dR84//F1KRwogXFlrpbtarrcG8v/Qszs3mtG/HLskyIlj/Dtlbjr45aCMQLiEkcxSyzwqmQ4Bbh21cKaLB47QK5C5KFdmoGC8oROmzvBbRft3z3TBCC5pwXbyiCM1ItXRIUg4iw=
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com (2603:10a6:7:2d::25) by HE1PR07MB3274.eurprd07.prod.outlook.com (2603:10a6:7:2f::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.13; Tue, 16 Jun 2020 10:57:50 +0000
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::2569:99db:f1db:4f8e]) by HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::2569:99db:f1db:4f8e%7]) with mapi id 15.20.3109.018; Tue, 16 Jun 2020 10:57:50 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Commitment Message in draft-ietf-emu-eap-tls13
Thread-Index: AQHWQxwhidapLR1LHUae6YFWy2dwOqja/WsAgAANM4CAAAUoAIAAA/SA
Date: Tue, 16 Jun 2020 10:57:50 +0000
Message-ID: <b4abcdb3-14d3-8cd9-8995-462711360520@ericsson.com>
References: <AM0PR08MB37162AE5F0175B95A237B31EFA810@AM0PR08MB3716.eurprd08.prod.outlook.com> <1e769dbd-b563-0ba6-c398-8066c6151310@ericsson.com> <AM0PR08MB3716E91CA6F8D39A6F7AF3AEFA9D0@AM0PR08MB3716.eurprd08.prod.outlook.com> <116a2a3f-9d9c-d99e-715a-2531f59da7a8@ericsson.com> <AM0PR08MB371611B4AADA5FCF9604E0B6FA9D0@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB371611B4AADA5FCF9604E0B6FA9D0@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:140:4147:9db5:d2f7:7e10:bb6b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 098a6433-0bf3-49f5-3f0c-08d811e41cc4
x-ms-traffictypediagnostic: HE1PR07MB3274:
x-microsoft-antispam-prvs: <HE1PR07MB3274C9AD9B30E71AD8AFE922D09D0@HE1PR07MB3274.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04362AC73B
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DA790j8LqtS0b/maW0Ojf54UOqc22wYXCygZ8ydCC8npWZBTyygM3nKJHMbOLhGjnH/2l3GhBAjiS3GQKOGbJsY5HkykdrrYkJKgS2/ppyNkyVQzhmXAuy/QHo/YXInx7uhjMDDlWhFukp8SlPyofggGV46hzDAgtRVSP9+uvfygKOmcJyPoW19Z83MD8PpdOwOpfqcgOb2WvXTeG3X5iToo9REUyN2hWTVybgN1PQMpQVpq2GE2xOaYsTBsSZrO3bzLJwwwwAGBu+NY3kbGpz55sXFPDncJlDq3wExjkxTd/r+4DNBcTQyFViItidH9deCBqq8xWTWlVIjDLw/HjlOQg9IWI7XXRkw2VVpGgQ1/7w0PfAdh3RUeco6YWxyaeBBNAE1M8DdBa74Cn1ZYfgSkkrEzKFH92mAGcOoBqHPZcwgB6uQDDBZhhQB10/sf8Q77GTFP4PJuxTE2OXB3Iw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3386.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(39860400002)(366004)(396003)(376002)(166002)(2906002)(6512007)(316002)(110136005)(83380400001)(30864003)(31686004)(66446008)(186003)(36756003)(66556008)(2616005)(66946007)(66476007)(66616009)(76116006)(8676002)(64756008)(18074004)(5660300002)(966005)(99936003)(6506007)(53546011)(6486002)(31696002)(15650500001)(86362001)(478600001)(71200400001)(8936002)(43740500002)(559001)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: jQHuWjLcn3SwlR+0s5TjL4PZe3vbRFHs5O9vcK29pv+vDT8/LRtO49SSphbWaeHtx1/D1b9NTayf/5xvFJ8pj38X9VMU0TbEh+Y/fD6Nk3jyGrn17VGa9JsK6HR/VApAQZVrCeqFXMRMFeZpXCUXAwhB2XQrdLYNSUgbyoorRiBTzjuBhdcqxzc83A/53eI3w//vUtY9syJa3KFTS9mo697KVcUx5Oyqzh0mjlVT3QxlDTiboemEzZtrETmWcN2KoBZMvq1QqGzHxmAda/h+mVH0PDrw/lmOMn8uOkLtcVA03Lt06loLBEysjXjGg4DBccHAT63Nwrsmi5ofMmXxfh2PhfZ5OZXj9lCtsJuTnV6E0ZiiTDHNCi3Ek0H6xYMTSxN6dq8UyWJgdhd343vWNsH0RDPB/PgVtfhzJNkFQaDGpRdvf811ehDpwIch71jaysX+t7YwyCr9ezF+efqZw4HvLoWnX8N4ZlZVvsWJdpfgxLvgzel/ov7T4+vrHsV1CKN70fcHAquOGMH00F94Mdso/yLp2ZpOgZpa0HSiPUjoZ6s7xaHGa++XV8V3UD1c
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060601040200000608060408"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 098a6433-0bf3-49f5-3f0c-08d811e41cc4
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2020 10:57:50.4554 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 46aPf+lkKHaJ3YTuI7jL1Miki3og0q3DM8yccidaIeSHfJJMmOR9RHUY8P/fNHxjOJDmoM1Ca77RkYTLXnX8BL7OX2CKqH38ThH8mJfimQ0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3274
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/jG0YRfzlqSnc_wz3v2h-SLzY9x8>
X-Mailman-Approved-At: Tue, 16 Jun 2020 03:58:18 -0700
Subject: Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 10:57:59 -0000
Hi Hannes, Thanks for you super quick response too. Based on your feedback, I am leaning towards : > Use the Commitment Message as an application layer payload (encrypted > as it should be). (Note that this has nothing to do with early data.) > If the OpenSSL spec does not support an application layer message from > the server right after the finish then it is not compliant to the TLS > 1.3 RFC. It would also result in the smallest change to the current specification. Only the description of how the commitment message is constructed needs to be changed. I agree that sending a notification to an unauthenticated peer in this case is fine. I wonder how others feel about this change. --Mohit On 6/16/20 1:43 PM, Hannes Tschofenig wrote: > > Hi Mohit, > > See below. Thanks for your super quick response. > > *From:* Mohit Sethi M <mohit.m.sethi@ericsson.com> > *Sent:* Tuesday, June 16, 2020 12:25 PM > *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Mohit Sethi M > <mohit.m.sethi@ericsson.com>; emu@ietf.org > *Subject:* Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13 > > Hi Hannes, > > On 6/16/20 12:37 PM, Hannes Tschofenig wrote: > > Hi Mohit, > > I had a chance to read through the emails you provided. A good > discussion. > > I can offer three solutions: > > 1. Use EAP-Success / EAP-Failure as an indication for the > completion of the exchange, even if it is not a reliable > notification mechanism. If the EAP peer does not receive the > NewSessionTicket message then it does not matter because it is > optional to use anyway. It will be a failure case anyway if > the EAP-Success / EAP-Failure got lost. They EAP peer may not > even know whether the exchange was successful despite > correctly processing TLS handshake messages. > > I am uncomfortable doing this without updating RFC 3748. Not only will > we be violating RFC 3748, we would still have the problem of peer > uncertainty about the next message. It could be a NewSessionTicket or > EAP-Success/Failure. > > [Hannes] What is done in EAP today? > > 2. Demand that the NewSessionTicket is sent immediately after the > Finished, very much like you currently demand that the > Commitment Message is attached to the last message. > > I assume that you imply immediately after the server has sent its TLS > Finished (and not after the server has received the TLS Finished from > the peer)? Are you also implying that a NewSessionTicket should always > be sent out, regardless of whether a server wants or supports > resumption? What if the server is issuing several tickets? > > [Hannes] I would leave it as an option to send a NewSessionTicket but > it is sent then it has to be in the last message. Here is the exchange: > > Case 1: NewSessionTicket Message Sent > > EAP Peer EAP Server > > EAP-Request/ > > <-------- Identity > > EAP-Response/ > > Identity (Privacy-Friendly) --------> > > EAP-Request/ > > EAP-Type=EAP-TLS > > <-------- (TLS Start) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS ClientHello) --------> > > EAP-Request/ > > EAP-Type=EAP-TLS > > (TLS ServerHello, > > TLS EncryptedExtensions, > > TLS CertificateRequest, > > TLS Certificate, > > TLS CertificateVerify, > > <-------- TLS Finished, > > TLS NewSessionTicket) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS Certificate, > > TLS CertificateVerify, > > TLS Finished) --------> > > <-------- EAP-Success > > Case 2: No ticket sent > > EAP Peer EAP Server > > EAP-Request/ > > <-------- Identity > > EAP-Response/ > > Identity (Privacy-Friendly) --------> > > EAP-Request/ > > EAP-Type=EAP-TLS > > <-------- (TLS Start) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS ClientHello) --------> > > EAP-Request/ > > EAP-Type=EAP-TLS > > (TLS ServerHello, > > TLS EncryptedExtensions, > > TLS CertificateRequest, > > TLS Certificate, > > TLS CertificateVerify, > > <-------- TLS Finished) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS Certificate, > > TLS CertificateVerify, > > TLS Finished) --------> > > <-------- EAP-Success > > > > 3. Use the Commitment Message as an application layer payload > (encrypted as it should be). (Note that this has nothing to do > with early data.) If the OpenSSL spec does not support an > application layer message from the server right after the > finish then it is not compliant to the TLS 1.3 RFC. > > How would that work? How can server send encrypted application layer > payload without having received the TLS Finished from the peer. > > [Hannes] Here is a copy-and-paste from the TLS spec: > > Client Server > > Key ^ ClientHello > > Exch | + key_share* > > | + signature_algorithms* > > | + psk_key_exchange_modes* > > v + pre_shared_key* --------> > > ServerHello ^ Key > > + key_share* | Exch > > + pre_shared_key* v > > {EncryptedExtensions} ^ Server > > {CertificateRequest*} v Params > > {Certificate*} ^ > > {CertificateVerify*} | Auth > > {Finished} v > > <-------- [Application Data*] > > ^ {Certificate*} > > Auth | {CertificateVerify*} > > v {Finished} --------> > > [Application Data] <-------> [Application Data] > > The TLS 1.3 spec says: > > Note that while the > > server may send Application Data prior to receiving the client's > > Authentication messages, any data sent at that point is, of course, > > being sent to an unauthenticated peer. > > The question is whether the aspect of sending data to an > unauthenticated peer matters in this case? I would argue that it does > not matter because the currently defined Commitment message is > unencrypted. > > While I am open to discussing better alternatives, I think from an > implementation perspective, it makes sense to have a definite > notification mechanism for the server to notify the peer that no more > post-handshake messages are to be expected. > > [Hannes] I am trying to find out how to implement this functionality > into our stack and it looks painful (developer-visible API changes). > Of course, it is difficult to accommodate for not yet invented > post-handshake authentication messages. We don’t even know whether > they will be compatible with the network access authentication use case. > > Ciao > > Hannes > > PS: I believe it would be good to highlight this specific aspect in > the introduction of the document. For me it appeared that the > specification is largely a copy-and-paste job but this clearly is > something worth highlighting to the reader/implementer. > > --Mohit > > The current solution in the draft, for example, does not work with > Mbed TLS because you cannot tell the stack to suddenly bypass the > encryption layer (after successfully establishing it) to send a > plaintext message. > > Ciao > > Hannes > > *From:* Mohit Sethi M <mohit.m.sethi@ericsson.com> > <mailto:mohit.m.sethi@ericsson.com> > *Sent:* Monday, June 15, 2020 3:52 PM > *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com> > <mailto:Hannes.Tschofenig@arm.com>; emu@ietf.org <mailto:emu@ietf.org> > *Subject:* Re: [Emu] Commitment Message in draft-ietf-emu-eap-tls13 > > Hi Hannes, > > Unfortunately you are wrong here. The design decision was in fact > taken to avoid changes to the underlying TLS implementation while > also avoiding changes to RFC 3748. To summarize: > > Jouni Malinen pointed out that mapping session resumption of TLS > 1.3 to EAP-TLS is non-trivial. See his email here: > https://mailarchive.ietf.org/arch/msg/emu/SBdblHmLQTbBwoZHK8Rih-g5ne8/. > Essentially, TLS 1.3 allows a server to send a Post-Handshake > message with a NewSessionTicket at any time. However, in EAP-TLS > this is not possible. The TLS tunnel is torn down after > authentication. John notes in his response to Jouni > (https://mailarchive.ietf.org/arch/msg/emu/nNUw61cTvHgWj8F0sOVRoICUzlk/) > "in TLS the connection is assumed to stay open for a long time > after the client sends Finished, in EAP the connection is assumed > to be closed shortly after." > > An earlier cleaner way of sending NewSessionTicket required an > extra round trip and left the peer uncertain about the next > message > (https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-00#section-2.1.1). > Jouni highlighted this uncertainty for a peer: " the peer has no > idea whether the NewSessionTicket is delivered after > ClientFinished. In other words, the next message in the sequence > could be either continuation of EAP-TLS method or EAP-Success". > You ask "why cannot the EAP-Success or EAP-Failure serve that > purpose?". See RFC 3748 (https://tools.ietf.org/html/rfc3748) > which says the following: > > Implementation Note: Because the Success and Failure packets are not > > acknowledged, they are not retransmitted by the authenticator, and > > may be potentially lost. A peer MUST allow for this circumstance as > > described in this note. > > and > > On the peer, after success result indications have been exchanged by > > both sides, a Failure packet MUST be silently discarded. The peer > > MAY, in the event that an EAP Success is not received, conclude that > > the EAP Success packet was lost and that authentication concluded > > successfully. > > > Thus, EAP-Success cannot be used as a reliable notification > mechanism. Till version 05 of the document, we used an empty > application data record as a notification of the last handshake > message. The text said: > > When an EAP server has sent its last handshake message (Finished or a > > Post-Handshake), it commits to not sending any more handshake > > messages by appending an empty application data record (i..e. a TLS > > record with TLSPlaintext.type = application_data and > > TLSPlaintext.length = 0) to the last handshake record. After sending > > an empty application data record, the EAP server may only send an > > EAP-Success, an EAP-Failure, or an EAP-Request with a TLS Alert > > Message. > > However, Jouni in a later response > (https://mailarchive.ietf.org/arch/msg/emu/WA8OREhTsF8JEPvaixGoCwmd1qY/) > noted that such behavior is non-trivial to achieve with OpenSSL. > He notes " OpenSSL is not willing to send such an empty > TLSPlaintext structure. SSL_write() has following to say : 'You > should not call SSL_write() with num=0, it will return an error. > SSL_write_ex() can be called with num=0, but will not send > application data to the peer.'" > > Therefore, the text was later updated to: > > When an EAP server has sent its last handshake message (Finished or a > > Post-Handshake), it commits to not sending any more handshake > > messages by sending a Commitment Message. The Commitment Message is > > a TLS record with application data 0x00 (i.e. a TLS record with > > TLSPlaintext.type = application_data, TLSPlaintext.length = 1, and > > TLSPlaintext.fragment = 0x00). Note that the length of the plaintext > > is greater than the corresponding TLSPlaintext.length due to the > > inclusion of TLSInnerPlaintext.type and any padding supplied by the > > sender. EAP server implementations MUST set TLSPlaintext.fragment to > > 0x00, but EAP peer implementations MUST accept any application data > > as a Commitment Message from the EAP server to not send any more handshake messages. > > There is still a challenge in scenarios where a server chooses not > to issue any NewSessionTicket. In this email: > https://mailarchive.ietf.org/arch/msg/emu/PgGjhmafbbSJCcQctDsFw7AvNmU/ > Jouni notes this problem: > > I did see some issues when OpenSSL 1.1.1 when disabling sending of > > session tickets, though. The current draft indicates that the empty > > Application Data payload would be send out in the same EAP packet with > > the server's Finished message, i.e., before the server having > > authenticated the peer. And this would be done without the peer having > > used TLS early data (which is explicitly disallowed in the draft). That > > combination did not work with my experiments since OpenSSL was rejecting > > the SSL_write() operation after the server having written own Finished > > message, but before having received the Finished message from the peer.. > > The OpenSSL documentation seemed to imply that SSL_write_early_data() > > could be used by the server _if_ the client first sent early data.. At > > least in my tests, OpenSSL rejected that call without early data from > > the client. > > This is why the current text also says the following: > > The Commitment Message may be sent in the same > > EAP-Request as the last handshake record or in a separate EAP- > > Request. Sending the Commitment Message in a separate EAP-Request > > adds an additional round-trip, but may be necessary in TLS > > implementations that only implement a subset of TLS 1.3. In the case > > where the server sends the Commitment Message in a separate EAP- > > Request, the conversation will appear as shown in Figure 9. After > > sending the Commitment Message, the EAP server may only send an EAP- > > Success, an EAP-Failure, or an EAP-Request with a TLS Alert Message. > > Thus, the current design decision has been guided by parallel > implementation experience and it is the best solution we could > come up with (given all the practical limitations). > > --Mohit > > On 6/12/20 11:36 AM, Hannes Tschofenig wrote: > > Hi all, > > This has probably been discussed extensively in the EMU group. > I am sorry to bring it up again but I believe this is a bad > design decision. I raised it in my short review just sent to > the list but I believe it is worthwhile to point it out > separately. > > draft-ietf-emu-eap-tls13 introduces a new message to EAP-TLS, > namely the Commitment Message. This requires extra code in an > implementation because the normal behavior would be to run a > TLS stack and then send encrypted data. > > EAP-TLS does, however, not send application data*. This > message changes this. Not only does it not send encrypted > application data it requires an implementation to transmit a > plaintext application data record after the application > traffic secret has been created and before that application > traffic secret is used to protect post handshake messages. > This will make it difficult to re-use an off-the-shelf TLS 1.3 > stack. > > There is very little motivation about this message other than > > > > “ > > When an EAP server has sent its last handshake message > (Finished or a > > Post-Handshake), it commits to not sending any more handshake > > messages by sending a Commitment Message. > > “ > > I might miss something important here but why cannot the > EAP-Success or EAP-Failure serve that purpose? > > Here are two examples to explain what I mean: > > 1. Failed exchange > > EAP Peer EAP > Server > > > EAP-Request/ > > <-------- > Identity > > EAP-Response/ > > Identity (Privacy-Friendly) --------> > > > EAP-Request/ > > > EAP-Type=EAP-TLS > > <-------- (TLS > Start) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS ClientHello) --------> > > > EAP-Request/ > > > EAP-Type=EAP-TLS > > (TLS > ServerHello, > > TLS > EncryptedExtensions, > > TLS > CertificateRequest, > > TLS > Certificate, > > TLS > CertificateVerify, > > TLS > Finished, > > <-------- Commitment Message) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS Certificate, > > TLS CertificateVerify, > > TLS Finished) --------> > > > EAP-Request/ > > > EAP-Type=EAP-TLS > > <-------- (TLS Fatal > Alert) > > EAP-Response/ > > EAP-Type=EAP-TLS --------> > > <-------- EAP-Failure > > 2. Successful Exchange with Post-Handshake NewSession Ticket > > EAP Peer EAP > Server > > > EAP-Request/ > > <-------- > Identity > > EAP-Response/ > > Identity (Privacy-Friendly) --------> > > > EAP-Request/ > > > EAP-Type=EAP-TLS > > <-------- (TLS > Start) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS ClientHello) --------> > > > EAP-Request/ > > > EAP-Type=EAP-TLS > > (TLS > ServerHello, > > TLS > EncryptedExtensions, > > TLS > CertificateRequest, > > TLS > Certificate, > > TLS > CertificateVerify, > > <-------- TLS > Finished) > > EAP-Response/ > > EAP-Type=EAP-TLS > > (TLS Certificate, > > TLS CertificateVerify, > > TLS Finished) --------> > > > EAP-Request/ > > > EAP-Type=EAP-TLS > > (TLS > NewSessionTicket, > > <-------- Commitment Message) > > EAP-Response/ > > EAP-Type=EAP-TLS --------> > > <-------- EAP-Success > > Ciao > > Hannes > > (*): FWIW Post handshake messages are protected with the > application traffic secrets. > > IMPORTANT NOTICE: The contents of this email and any > attachments are confidential and may also be privileged. If > you are not the intended recipient, please notify the sender > immediately and do not disclose the contents to any other > person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > > _______________________________________________ > > Emu mailing list > > Emu@ietf.org <mailto:Emu@ietf.org> > > https://www.ietf..org/mailman/listinfo/emu <https://www.ietf.org/mailman/listinfo/emu> > > IMPORTANT NOTICE: The contents of this email and any attachments > are confidential and may also be privileged. If you are not the > intended recipient, please notify the sender immediately and do > not disclose the contents to any other person, use it for any > purpose, or store or copy the information in any medium. Thank you. > > _______________________________________________ > > Emu mailing list > > Emu@ietf.org <mailto:Emu@ietf.org> > > https://www.ietf.org/mailman/listinfo/emu > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you.
- [Emu] Commitment Message in draft-ietf-emu-eap-tl… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Mohit Sethi M
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Mohit Sethi M
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Hannes Tschofenig
- Re: [Emu] Commitment Message in draft-ietf-emu-ea… Mohit Sethi M