IETF Logo Mail Archive

Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt

Alan DeKok <aland@deployingradius.com> Tue, 05 March 2024 12:41 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978F6C14F5F4 for <emu@ietfa.amsl.com>; Tue, 5 Mar 2024 04:41:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yF8xfWCJA1QR for <emu@ietfa.amsl.com>; Tue, 5 Mar 2024 04:41:01 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C96BC14F5EB for <emu@ietf.org>; Tue, 5 Mar 2024 04:41:00 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 84F9620C; Tue, 5 Mar 2024 12:40:57 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <9ddcd434-c72d-4bcf-aeb6-a57b5314becb@dfn.de>
Date: Tue, 05 Mar 2024 07:40:56 -0500
Cc: emu@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3D962ED4-D5B4-4BAD-AB2C-AB8999EF7A48@deployingradius.com>
References: <170932527085.22824.18343512124707075119@ietfa.amsl.com> <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de> <c2951f3d-bcc7-4b90-bcdd-077a506dd464@app.fastmail.com> <5e5f794d-a260-4fc4-b4c0-fbe13ed54691@dfn.de> <2A73CDC3-9D44-433B-8948-405917CA69F0@deployingradius.com> <bf52a9e3-bcf9-4e69-962d-42b6bb975142@app.fastmail.com> <CAA7Lko8diwXstKPKb1++tkS58xYFmoHTbR__ndz77-DkJ227ZA@mail.gmail.com> <9ddcd434-c72d-4bcf-aeb6-a57b5314becb@dfn.de>
To: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/jgYqtCGHibHkuM7Ap6g0h-_PMBE>
Subject: Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 12:41:05 -0000

On Mar 5, 2024, at 5:46 AM, Jan-Frederik Rieckers <rieckers@dfn.de> wrote:
> Well, the beauty of CBOR is that it is very easily extendable.
> I completely agree that, with the limited list of map keys, using CBOR instead of TLVs seems like shooting cannons at mosquitos, but if in the future we want to do more with this, we can.

  Extensibility also has its downsides.  If we're not sure we need the functionality, then *unused* functionality is ripe for exploits or issues.

> Resource exhaustion is a problem in CBOR, as it is in any other serialization/deserialization solution.

  If we only need 3 pieces of data, none nested, then CBOR has more issues than TLVs, due to it's inherent nesting.

  i.e. the temptation for implementors is to pass the raw CBOR data to a CBOR library.  Which means nested structures, complex maps, etc.  And none of that will be used by EAP-FIDO.

  For now I'd suggest concentrating on getting the crypto right, and the request / response exchange.  Data encoding can always be changed before it's widely implemented.

> They also limit the length of a CBOR message, with a recommendation that every authenticator MUST support at least messages of 1024 bytes and that platforms have to respect the max message length signaled by the authenticator.

  So EAP-FIDO would also need to negotiate / signal message length?

> We could say something similar about the allowed depth and length of the CBOR messages sent in EAP-FIDO.

  Is that fixed, or negotiated?

  Alan DeKok.

v2.23.0 | Report a Bug | By Email