Re: [Emu] draft-ietf-emu-eaptlscert-04
Mohit Sethi M <mohit.m.sethi@ericsson.com> Mon, 15 June 2020 09:31 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E43F33A0B68 for <emu@ietfa.amsl.com>; Mon, 15 Jun 2020 02:31:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbZIVyaWv-vZ for <emu@ietfa.amsl.com>; Mon, 15 Jun 2020 02:31:14 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60050.outbound.protection.outlook.com [40.107.6.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CDD03A0B25 for <emu@ietf.org>; Mon, 15 Jun 2020 02:31:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kAJLF9kdux+Mq/BLofQRrOzwQFJwwzJiEp4f5sMTshPJYtsqCihGCqbFnXt28KZqKVHsJZxP0lNE+xhzRYiFtT3mtUf45IEA5lc7Abh/fwXMwiogRPzY1yEKqnqj1QiVjNoUmuWSPKGIsMNvUtpwrhlJQoJ0eC+5nQCUlEPO9AlH85mWhIfwmg0+BkcjhdlJEEnakSLgh+cSlRw6LqhklVkhdqNBU2PAzqJDgHhitSBnNNZAyGDu3eK3a57T2I3cPjrj4wUzyVtJCs2vB/4bKIrSm9GVvFvwvt+KPHdbcvKM78DyL+tLGExUoRIDwhYfDS6FE+JtkCB6g2F6eVYKJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/rMpMRR90HL96w54IaqyCntQ/Oslrjd9uq2OFa95XUM=; b=nKxWwTbSBrIddhX2OcpZ8D/RBQD7ufHMHDVr/ws2EhUTmcsGivJ2NcgZ674t3hTI+09HxVkuLD1WkCvveabUva+bl4mHz0Nlq7XV5U9wIPdluFpYR2LsEpVKxSK2fZh77bkA/MhThMGHdJBN0TnwQ1ABUm8o6BrAEHZ2lpNvRb5TIGIl+rgD3eFRGF4cMiJorN2TebWOpJjFIdrRrMyurHCsCI9747JJQxs+E/yr7J6UQt3b8gZiP98MBP0NGsfLJtR2xaahuRkh71UEcwHgUKX6My/iC1g9Mwp5vi60C11I7J//uBbg2DQbp9V0i4UUCh9vXIEKXHAfsZzM+DWuQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/rMpMRR90HL96w54IaqyCntQ/Oslrjd9uq2OFa95XUM=; b=M+9LjkBBc+WrWQtx0HKSudpwxsGGT1NcrNJAGAvbXIqA1tP5fkyxJWUd4VNx1O2Jmxqf7yiidQQRJ9iuudGHiFSnjzo6GB9lbQrA5NVQfF6CQ5qJcMIW3Ncjg5ho/xR0J5QhQ/ctR3ENxGdu+ilMn+9PaA1RqSfUv9BPjz0XqrI=
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com (2603:10a6:7:2d::25) by HE1PR0701MB2554.eurprd07.prod.outlook.com (2603:10a6:3:94::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.11; Mon, 15 Jun 2020 09:31:04 +0000
Received: from HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::2569:99db:f1db:4f8e]) by HE1PR07MB3386.eurprd07.prod.outlook.com ([fe80::2569:99db:f1db:4f8e%7]) with mapi id 15.20.3109.010; Mon, 15 Jun 2020 09:31:04 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] draft-ietf-emu-eaptlscert-04
Thread-Index: AQHWQvevvXLTCVkc1kWEopXjeZvdfA==
Date: Mon, 15 Jun 2020 09:31:03 +0000
Message-ID: <f884fde2-516b-3570-4fa0-ebc6bd45c2ba@ericsson.com>
References: <AM0PR08MB3716E7DA898FADADBA1A6AAAFA830@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB3716E7DA898FADADBA1A6AAAFA830@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
authentication-results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:140:4147:9db5:d2f7:7e10:bb6b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b17dfcd6-e152-4495-302d-08d8110ed30c
x-ms-traffictypediagnostic: HE1PR0701MB2554:
x-microsoft-antispam-prvs: <HE1PR0701MB25543D50424354EC215B0B85D09C0@HE1PR0701MB2554.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04359FAD81
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Yjet4fdWT842Qim5QkQYPtFVhIl93g/384DEMUoivpmfY/iEHFoEAeYo2qsPx2q754OeP25Avg7aWMG3RB2plBoRurDfyRw5a7Y35fc+FwM/robx9AwuGj7B8Z2mZObNMnmEGlax9UGuVEYuBFVZBBMOeqYpX5Vc87f90115Y13efDo1DCxm8Ojw2x2lBH4kYyjLMSN++3JDfqp2St+bXtw/XRACsBM1IVsZyG1XG73KwO9y28h+0JE4WgBRSZ2NeXt3ZEDtMjh6Kkdi9KYoL66l2KEGfVEt34yqDcWrpL60r+twucbKvtn+K0jfN2V+zGMco+NLtUZ5XwIuNkpXXlP/I7mD3M8UUzzdZAaDZg5fpkKQOnBMqErPv/gkbmODPxIx5WDimq4qbvCwAsR59M8Bv9cka+Zrx7ltw4qwKlSmrCIPkfrZ3WTyaHIPjyxcu0ZQ5WfH+ybC8B7xF9D+tw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3386.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(346002)(396003)(136003)(366004)(64756008)(66616009)(66476007)(6486002)(66556008)(76116006)(66446008)(86362001)(71200400001)(966005)(8936002)(6512007)(31696002)(5660300002)(66946007)(83380400001)(99936003)(8676002)(31686004)(186003)(478600001)(36756003)(6506007)(53546011)(2906002)(2616005)(110136005)(316002)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: x78VSqkDaGpz0eDiMSRadPyNjH8PZ0hB7gNM5N60H0Ru3xhd74GUVmf7UmFwVjRdmOjM97V/FHQOoqx6kscph53NXvUrNk8xVZROfEUJNkI+aP9d5b8WwYZWQai3iwm8ziUY2AwbM4aQMoMP8awoxcYQYpGvH/dchl/oTGhA3VQ/xy5fHjpOxX8YxCADFYr4WJPOKgEhPYPAAF6NXPsOJnQ1rSjZsdhfb5E5oshtaXX4KOchggQ5ALSsRy3l5rvFPinykXs2hmvVg/gnWiprE9bWUtGcmcDnqrmi7xCF5u4qf8QtWaafTEU9JENx13eE6A+tsfPlufAIWFl2GG74+lyU0a2/CAzVKmTmBRPFaYHuF5Ddjt/IkOlesEUWUKxgco+buoXrMibNJ7oIpSVC6rezfNXAUNOgmnpDhQ+LBjBW1W6Xh1yM/3ouDuNgYsJseA0UyNhLFRd2a7DhNd+wiDpudM+Eq5hiyqkMtYmpNTw/9V/CahRzrCaeUT6R50Hp0WqhGdkriN7p1tVw6uEskesJ7zFpj/ohyBHs/R3j48+nehbhBC/eaKfG7JbTDinr
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050406030507080209010105"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b17dfcd6-e152-4495-302d-08d8110ed30c
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2020 09:31:03.9681 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Iq5+MAsnc76y1sM68shBkX0aGaNzF0m5gl8L0KhNK+XwCDYy3AZ/tM7CUmDFgiLU8LirB7/qoH0JFE33ftQR5POjpOQ7AEygyi6nrhr7BaY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2554
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/k0xQeCpvX3yUguYicb-apGtifkQ>
Subject: Re: [Emu] draft-ietf-emu-eaptlscert-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 09:31:16 -0000
Hi Hannes, Thanks for the follow up. I have submitted a new version which should address your concerns. Here is a diff for your convenience: https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eaptlscert-05 Please see in-line for details. I believe that the draft is now ready for publication. --Mohit On 6/10/20 12:02 PM, Hannes Tschofenig wrote: > Thanks for the update. > > A few more minor comments on -04: > > Section 4.1: > > "TLS 1.3 [https://tools.ietf.org/html/rfc8446] requires implementations to support ECC." > > This is only true absent an application profile defining something else. > The UTA group has just adopted a WG item that defines such a profile. > > Hence, I suggest to add the remark about the profile. Something like > > "In the absence of an application profile standard specifying > otherwise, a TLS 1.3-compliant application must support ECC." Done! > > 4.2. Updating TLS and EAP-TLS Code > > Why are you calling the section "updating code"? The suggestion in 4.2.1 does not require code update and whether something requires a code update depends what you have in the code already. Maybe you just need to enable the feature. Updating the code is also a negative aspect because you are likely going to update the code on a regular basis anyway to fix bugs and to support new algorithms. Luckily TLS has the extension negotiation built-in and hence you can detect and negotiate new features on the fly. I agree that all code indeed should be updated to fix bugs and vulnerabilities. However, updating applications and certificates is certainly different from updating the underlying TLS library and EAP implementation. Administrators in enterprise environments (where EAP-TLS is widely used) have great control over when and how the server and client updates are rolled out. The categorization in section 4 should help administrators to decide how to avoid the fragmentation problem. Whether it is issuing new certificates, updating the access points, or updating the TLS and EAP-TLS implementation. Nonetheless, I have added the following text: "This section discusses how the fragmentation problem can be avoided by updating the underlying TLS or EAP-TLS implementation. Note that in many cases the new feature may already be implemented in the underlying library and simply needs to be taken into use." > > 4.2.4. Caching Certificates > > "The extension however necessitates a successful full handshake before any caching." > > This is not true. The spec defines a way to populate the cache by running a full handshake. > However, you could also populate the cache by out-of-band means, for example by pre-distributing certs. > > The mechanism to re-run the handshake to populate the cache is, however, a safe fallback in case configuration changes and the pre-distributed certs become invalid. It is better to have a fallback. > > I thought I made that comment before. You had raised this issue before and I had responded to you before. Here is the response again: Where does RFC 7924 (https://tools.ietf.org/html/rfc7924) talk about populating the cache with an out-of-band mechanism? The text in Section 1 of RFC 7924 clearly states that: "This specification defines a TLS extension that allows a client and a server to exclude transmission information cached in an earlier TLS handshake.". Notice the "earlier TLS handshake" part. I certainly refuse to add or describe new functionality which isn't discussed in the original RFC. > > 4.2.3. Compact TLS 1.3 > > You are still stating "This naturally means that cTLS is not interoperable with previous versions of the TLS protocol." > > cTLS is a compression of TLS, which means that you can fall-back to TLS, if the other peer does not support cTLS. As mentioned in my previous email, I don't understand why you are mentioning this aspect at all given that this document is about certificate size reduction. I understand your desire of making cTLS look good. I am not sure how hiding the information that cTLS doesn't interoperate with older versions of TLS helps. Anyhow, I have removed that sentence since progressing the draft at this is stage is more important than arguing over one sentence. > > Raw Public Keys > > I wonder whether you should mention the possibility to use RPKs (https://tools.ietf.org/html/rfc7250) in Section 4.1.2 because those would be a fairly obvious choice in EAP-TLS given that we are talking about a nailed up connection between the EAP peer and the EAP server. This would obviously reduce the overhead associated with certificates considerably. Added a new sub-section. With this, I believe that all issues are resolved and the document is ready for publication. > > Ciao > Hannes > > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu
- [Emu] draft-ietf-emu-eaptlscert-04 Hannes Tschofenig
- Re: [Emu] draft-ietf-emu-eaptlscert-04 Mohit Sethi M
- Re: [Emu] draft-ietf-emu-eaptlscert-04 Hannes Tschofenig