IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 11 November 2019 17:28 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6473E120AD6; Mon, 11 Nov 2019 09:28:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.901
X-Spam-Level:
X-Spam-Status: No, score=-13.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=By2r0+G9; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vI7hDq4s
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxVNVmDMCf1x; Mon, 11 Nov 2019 09:28:27 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26DAF120AC9; Mon, 11 Nov 2019 09:28:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3918; q=dns/txt; s=iport; t=1573493307; x=1574702907; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=XtkRIPnIMfQ1Ny4HAC/ApqGqmmKyc0T8HeqcGM+2zVM=; b=By2r0+G9i9mRlNeyq20ZXJHX1S93AuYsr6goCC58p11pdn/IwKJ/l6Q8 FkKpQujHB18+rp6MUAgGQmJWJkf5TNxe9Anaq9yQcxsTsUi4gUSe8DAJl 9IS68NLwZXl7lmdIP5JJ3XATPyokqrP+I1EaT47efhq9PBYYXhQvbQ6ek I=;
IronPort-PHdr: 9a23:/0Muvx2qPUfWb9w+smDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxGOt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQDkPhLfPuRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AOAABimcld/5JdJa1bCRoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBawQBAQEBCwGBSlAFbFggBAsqCoQfg0YDimuCXpgAgS6BJANUCQEBAQwBASMKAgEBhEACF4N9JDUIDgIDCwEBBAEBAQIBBQRthTcMhVEBAQEBAgESEREMAQE3AQsEAgEIEQQBAQECAiYCAgIwFQgIAgQOBQgagwGCRgMOIAECDAOiBwKBOIhgdYEygn4BAQWBNAGDWBiCFwMGgQ4oAYwTGIFAP4ERRoJMPoJiAgKBNRQYgw4ygiyQDJ4ICoIlhxeOSJl5ln2RQAIEAgQFAg4BAQWBVAE2gVhwFYMnUBEUkDYHg2yFFIU+AXQBAYEmjD0BgQ4BAQ
X-IronPort-AV: E=Sophos;i="5.68,293,1569283200"; d="scan'208";a="663835132"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Nov 2019 17:28:25 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id xABHSPkJ030759 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Nov 2019 17:28:25 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 11 Nov 2019 11:28:24 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 11 Nov 2019 11:28:23 -0600
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 11 Nov 2019 12:28:22 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nXIcr6TOdniQ3IPMEjmMNMmHKzj3s2k/BpjB41JkVYymjVYbuDweTCqpYyjoDq0cv0Syt9/gZYL/jyjf3hT1DFn2JSm/HBwXfkIFKtUoJglYv0KD+RvFE8urnMhOjkBusgOyVgJ3IScqzs3mX7BiYoRz+ynLcAIC27FLCK7Mze4m92dMnFqhb4QAWOQ2iQqgSQOXPLZ+rmFDGd819KImQ52r8jnhKn4p+ykTLlFb9IJVB/G8GrfJhsyWKmRW0xG5hGGV6gkQ1hh4nCamDs46K/JuwMoqy1cA9DYV4i5xvpZ6OtKAjKx8ZA5BErq4556nW7GoIA1K5jRXjDaTF4hFTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XtkRIPnIMfQ1Ny4HAC/ApqGqmmKyc0T8HeqcGM+2zVM=; b=bRQt1OvCu0tlq3IuO5mezGgLEqe9KPtAIFmdFBxYzXCIA1yRXuSIb8Vr7hFjJbFj/9Fr5jjwAF6M/w+zMhC0ZVSELdGg6y6rSEnQOMzqt5maWQr7/j3fUsAKzW03Bb+M4qb1tRU6RN52ooA61tQpRzJ0WB2gGLwbsmMY5EfQy5mCuhm/Y+Qf4JWdHY3QjrLKOq/OkgU+YxpLyBWCQ5/Mfq/wPD82tMJnXX+nu+DTpT+qxKvPgcuah6J1pyZXhtcogQiVZBlbkol+h1Lkps+0KyfQkriP2RrsqC1/ny8lqm9aypG+8nslfbsERfCfsRoUafQ0cNED7ZSRkBl+Mq4UWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XtkRIPnIMfQ1Ny4HAC/ApqGqmmKyc0T8HeqcGM+2zVM=; b=vI7hDq4snNQhsiw+gyI1MFgD9KJV8xqun25DNhR3ScsiPcxRyk0xPihbpVT0eH002JUL1SaBIrFF8iSByeXq3hBfLMzvEzNftYypYEWBP6zL5yF0JZhIThdA7EG7D9zmAPCLB3BPN4ARPf7c1FjNCP5ciNqjwgYtb4vjF4ofV5U=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4206.namprd11.prod.outlook.com (52.135.36.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.20; Mon, 11 Nov 2019 17:28:21 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2430.027; Mon, 11 Nov 2019 17:28:21 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Alan DeKok <aland@deployingradius.com>
CC: Joseph Salowey <joe@salowey.net>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Michael Richardson <mcr@sandelman.ca>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Thread-Index: AdVKJoKyKr1G5+9hQuKLAEK5rLYqPgfSdnOQAABeFAAABkCJgP//55mA//bAJjCAEoqCAIADGZ8AgBnulgCABSSTAIAB0o2AgAAF5ACAAC3sAIAABveAgB1CFQCAAD1cgIAAJDQAgAEmKQD/9DAisIAXqxMA//nquBA=
Date: Mon, 11 Nov 2019 17:28:21 +0000
Message-ID: <MN2PR11MB3901D4F7C340481923339054DB740@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com> <MN2PR11MB390137BA293101102515A3AFDB780@MN2PR11MB3901.namprd11.prod.outlook.com> <0D21C6F3-DCF7-41FA-BEFB-9408575524A8@deployingradius.com>
In-Reply-To: <0D21C6F3-DCF7-41FA-BEFB-9408575524A8@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.50]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 083a7dda-7348-4b59-05d5-08d766cc8c9b
x-ms-traffictypediagnostic: MN2PR11MB4206:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <MN2PR11MB42061D92E97BDFCF5DDBD069DB740@MN2PR11MB4206.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0218A015FA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(346002)(376002)(136003)(366004)(189003)(13464003)(199004)(186003)(316002)(53546011)(6436002)(54906003)(305945005)(55016002)(66446008)(6116002)(66066001)(66946007)(66476007)(66556008)(102836004)(256004)(74316002)(64756008)(6246003)(71190400001)(71200400001)(86362001)(229853002)(76116006)(478600001)(25786009)(6506007)(81156014)(7736002)(6916009)(7696005)(76176011)(81166006)(9686003)(14454004)(26005)(66574012)(33656002)(99286004)(11346002)(2906002)(4326008)(476003)(966005)(8936002)(6306002)(5660300002)(8676002)(52536014)(446003)(486006)(3846002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4206; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: L46nxhHjnZ4U3Kkxhl+DP7a+k6WrMIEj6wHnH+AtIH0Wxec3LP2jQo8EUFvDQFCXfxCgis57DXdwmPyUhTT0lL6b5Fw/bgpFdLNBgD0Ch3P4GjiWKAHZ7dxluG8RasjvyzQ3WdAf5VblL9mj0ixTVyrnZXd5Lmr7nKFYJ1HstMQT4jydSrRA56McnEBZysxV/aKG67bZ/tlmgkBU2FwZNBuYcxwo+Ei6oSv3pO/oYkXCXbgGSNT/hehWE6qob5he5GxU8JEmWWZ0XBhLTheCVwHCz8N7kB1qif+jYmbtxDsxoGiWlNHFrTdNgkk1SMpC3QQ1/rigpFz08iTUfRVesLZpsHxgI4y9Ib/AL20TjkwkY1gvMdA1pxotkht4r91cnsYTpmVOr3iA7d/HKTw1pfS5jSxVrnrGSr1kg66fUjC+NombBHrJn3SZw6O9Fz9W5S0IFwtFYFHofwqVbs+gCzDMITLkKs6zGwwH/LBcTyY=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 083a7dda-7348-4b59-05d5-08d766cc8c9b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2019 17:28:21.2237 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MjUgLDPpfLzTdZn5c3fSKMBK0Zh8Uqnpfn/HyXCMoQo2d+aQl7nEjOA+N9lS4Lfdqc9OKSnOrrUCi80ECSXnbA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4206
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xch-rcd-007.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/lmXevWHUqVPcR-LOREcGI0iCRq0>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 17:28:29 -0000


> -----Original Message-----
> From: Alan DeKok <aland@deployingradius.com>
> Sent: 07 November 2019 17:48
> To: Owen Friel (ofriel) <ofriel@cisco.com>
> Cc: Joseph Salowey <joe@salowey.net>; draft-ietf-emu-eap-tls13@ietf.org;
> John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>; Michael
> Richardson <mcr@sandelman.ca>; EMU WG <emu@ietf.org>
> Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
> 
> On Nov 7, 2019, at 12:30 PM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> > [ofriel] TLS1.3 explicitly does not allow both PSK and certs simultaneously.
> draft-ietf-tls-tls13-cert-with-extern-psk does, but that’s Experimental. I don't
> think TLS with extern PSK is really intended for Web/Browser HTTPS
> connections. Its more for devices/things which are preprovisioned with the
> extern PSK.
> 
>   Then the EAP-TLS document should disallow it, too.  If TLS 1.3 doesn't support
> it, I don't see how something built on top of TLS 1.3 can support it.

[ofriel]  TLS1.3 does not allow both PSK and cert based auth simultaneously on the same TLS session. It does allows support of both PSK and cert based auth on the same server, just on different TLS sessions. What draft-ietf-tls-tls13-cert-with-extern-psk does is allow both PSK and cert based auth simultaneously on the same TLS session. I can see how my statement was confusing, apologies.

> 
> > In TLS1.3, by design the protocol does not differentiate between resumption
> and external PSKs, and says nothing about PSK ID format, as commented here
> https://mailarchive.ietf.org/arch/msg/tls/Q5K8HSPPgLRojQwXbV4ZTIxBIH0 ,
> https://mailarchive.ietf.org/arch/msg/tls/X_z8pc3oS2Au7KajjMhlWhP1UPc
> 
>   Which is fine.  I'm happy to have PSKs be anything.  The caveat is that we then
> MUST forbid the PSKs from being copied to the EAP Identity field.  So the EAP-
> TLS document has to make a recommendation.
> 
> > And its application specific how the two are differentiated, the spec says
> nothing about it:
> https://mailarchive.ietf.org/arch/msg/tls/btLnZERYv8GJJ2PFUksjNsDyv8o
> >
> > I still don't get why EAP-TLS1.3 should place restrictions on use of TLS1.3.
> Surely it should be an EAP server implementation decision on whether to support
> that feature or not, but we should not preclude a specific EAP server
> implementation from supporting extern PSK by disallowing it in the spec. If a
> particular EAP server does not want to support extern PSK - that’s fine.
> 
>   Then we need to give guidance on what implementors and administrators
> should do.  Even if it means adding text saying "you can do certs OR PSK, but
> NOT BOTH".
[ofriel] You can do certs or PSK on the same TLS server, just not on the same TLS session. Unless draft-ietf-tls-tls13-cert-with-extern-psk became a thing.
> 
>   Alan DeKok.

v2.23.0 | Report a Bug | By Email