IETF Logo Mail Archive

[Emu] AD review of draft-ietf-emu-eap-tls13-09

Roman Danyliw <rdd@cert.org> Thu, 28 May 2020 18:31 UTC

Return-Path: <rdd@cert.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFED3A0602 for <emu@ietfa.amsl.com>; Thu, 28 May 2020 11:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIU-isz4373P for <emu@ietfa.amsl.com>; Thu, 28 May 2020 11:31:44 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A49F3A053F for <emu@ietf.org>; Thu, 28 May 2020 11:31:43 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04SIVgQU004846 for <emu@ietf.org>; Thu, 28 May 2020 14:31:42 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 04SIVgQU004846
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1590690702; bh=rtbutiMYltc26x/l+svLz8Tvl05nd3Go/0ofbnWXxVE=; h=From:To:Subject:Date:From; b=p7MYTTCHRgkWbOYxTkYABqiAQS7EAUf/tWhmDxLbrL/AWFl24SUicCRLs65T/bye5 0O2whICBMj5pKpwbatGb83GjgysB9pvDOJMnXW8H25sPdKjnUvxx//2XZ4gFuw2E0F yQp/Abt/IYGBJdjnOma9fetxEE/d27ycBEH3PKFU=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04SIVeuP039358 for <emu@ietf.org>; Thu, 28 May 2020 14:31:40 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 28 May 2020 14:31:39 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Thu, 28 May 2020 14:31:39 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Thu, 28 May 2020 14:31:39 -0400
From: Roman Danyliw <rdd@cert.org>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: AD review of draft-ietf-emu-eap-tls13-09
Thread-Index: AdY1Havq25wDKQqtT3yaV6cHPacFdA==
Date: Thu, 28 May 2020 18:31:39 +0000
Message-ID: <a74cadb6b2ce4638895eaa183851a0cb@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.21]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/k6K98OhuOQmbzSAgGWCtSIVv3Qk>
Subject: [Emu] AD review of draft-ietf-emu-eap-tls13-09
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 18:31:46 -0000

Hi!

I performed an AD review of draft-ietf-emu-eap-tls13-09.  Thanks for the work on modernizing existing guidance to cover TLS 1.3.

Two high level things caught my attention:

** The abstract, introduction and title suggested to me that this document is only about TLS 1.3+EAP.  If I wasn't using TLS 1.3, then there is nothing here of interest.  However, there appears to be text here that updates non-TLS 1.3 guidance.  I recommend being clear about that up front (in the abstract and introduction).

** Section 2.1 explicitly says that "[t]his document only lists additional and different requirements, restrictions, and processing compared to [RFC8446] and [RFC5216]."  The text tries to match section headers names with [RFC5216] (which is helpful).  However, I didn't always follow the "updates" without some searching.  Editorially, given a particular description of behavior, I recommend being clearer by consistently making explicit reference to a particular section in RFC5216 that is being updated. 

More details on the above observations and others below:

(1) Can you please check the boiler plate language, idnits is complaining is as follows:
  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
     (Using the creation date from RFC5216, updated by this document, for
     RFC5378 checks: 2007-07-01)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

(2) Section 1.  Editorial.  Instead of something working "perfectly", maybe just "supports"
OLD
   EAP-TLS [RFC5216] references TLS 1.0 [RFC2246] and TLS 1.1 [RFC4346],
   but works perfectly also with TLS 1.2 [RFC5246].   

NEW
EAP-TLS [RFC5216] explicitly references TLS 1.0 [RFC2246] and TLS 1.1 [RFC4346], but it also supports TLS 1.2 [RFC5246].   

(3) Section 1.  Editorial.  "Easy" might be relative.

OLD
   Privacy is mandatory and achieved without any additional round-trips,
   revocation checking is mandatory and easy with OCSP stapling,

NEW
Privacy is mandatory and achieved without any additional round-trips,   revocation checking is mandatory and simplified with OCSP stapling,

(3) Section 2.1.1.  What is the relationship between this section and NAI guidance in RFC5216 Section 2.1.4?  Is it that anonymous NAIs are RECOMMENDED for TLS 1.3, but stay a MAY in old EAP-TLS?

(4) Section 2.1.3.  Editorial.  To prevent the reader from having to line up which paragraphs are being replaced in Section 2.1.3 of [RFC5216], I would recommend citing the old text and showing how this text replaces it.  Additionally, since RFC5216 lists the peer guidance before the server, I'd recommend reversing the order.  For example:

Original TLS guidance from RFC5216:
If the peer authenticates successfully, the EAP server MUST respond
   with an EAP-Request packet with EAP-Type=EAP-TLS, which includes, in
   the case of a new TLS session, one or more TLS records containing TLS
   change_cipher_spec and finished handshake messages.  The latter
   contains the EAP server's authentication response to the peer.  The
   peer will then verify the finished message in order to authenticate
   the EAP server.
...
   If the EAP server authenticates successfully, the peer MUST send an
   EAP-Response packet of EAP-Type=EAP-TLS, and no data.  The EAP Server
   then MUST respond with an EAP-Success message.

TLS 1.3 guidance:
[insert new language in the draft now]

(5) Section 2.1.5.  Is Figure 6 supposed to be read as being inclusive of all TLS messages?  The figure doesn't contain TLS CertificateRequest, TLS Certificate, or TLS CertificateVerify.  It wouldn't be germane to what the figure is trying to demonstrate but the examples in prior sections are "complete".

(6) Section 2.1.6.  The text here seems right to describe TLS 1.3 behavior.  Recommend being clearer on which behavior this is replacing in TLS-EAP (i.e., explicitly citing a given section in RFC5216; is it Section 2.1.2?)

(7) Section 2.1.7.  The text here seems right to describe TLS 1.3 behavior.  Recommend being clearer on which behavior this is replacing in TLS EAP (i.e., explicitly citing a given section in RFC5216)

(8) Section 2.1.7.  Per "When NAI reuse can be done without privacy implications", is there any guidance that can be provided on where there would be a privacy issue?

(9) Section 2.1.9.  The text here seems right to describe TLS 1.3 behavior.  Recommend being clearer on which behavior this is replacing in TLS EAP (i.e., explicitly citing a given section in RFC5216, is it Section 2.1.5?)

(10) Section 5.1. Editorial.  Wrong section reference. s/Section 4.1. of [RFC5216]/Section 5.1 of [RFC5216]/

(11) Section 5.1.  Per "better confidentiality" in [2], this seems imprecise

(12) Section 5.4.  Per "While certificates often have a long validity period spanning several years, there are ...", as this is changing perhaps just say "While certificates may have long validity periods, there are ..."

(13) Section 5.5.  Recommend that this section read "No updates to Section 5.5 of [RFC5216]"

(14) Section 5.6.  The guidance in this section does appear to be TLS 1.3 specific.  If it isn't, it should be noted as such.

(15) Section 5.7.  Per "Since accounting must be tied to an authenticated identity ...", is there is a reason not to use a normative MUST here?  Especially since later a normative RECOMMENDED is used for "It is RECOMMENDED that authorization, accounting and policy decisions are reevaluated based on information given in resumptions".

(16) Section 5.8.  Editorial. Per "[RFC6973] suggests that the privacy considerations of IETF protocols be documented", it isn't clear to me what this sentence is adding.

(17) Section 5.8.  Editorial.  s/TLS 1.3 offers much better privacy than .../TLS 1.3 offers better privacy properties than .../

(18) Section 5.8.  Editorial. Per "If privacy-friendly identifiers with encrypted usernames need to be generated with care", as written, this is a only sentence fragment.

(19) Section 5.8.  Per "An EAP peer with a policy allowing communication with EAP servers supporting only TLS 1.2 without privacy  and with a static RSA key exchange is vulnerable to disclosure of the peer username", the "without privacy" would benefit from being more precisely stated.

(20) Section 5.9.  Editorial. Per "As required by [RFC7258] ...", I'm not sure what this sentence adds.

(21) Section 5.9.  Could you contextualize this "widespread surveillance of users " more specifically within the EAP context.

Regards,
Roman

v2.23.0 | Report a Bug | By Email