IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

John Mattsson <john.mattsson@ericsson.com> Thu, 12 September 2019 14:55 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF68120041; Thu, 12 Sep 2019 07:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKEeCXn0cD2x; Thu, 12 Sep 2019 07:55:14 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60040.outbound.protection.outlook.com [40.107.6.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 941A212001E; Thu, 12 Sep 2019 07:55:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zy7p/ZkTEBNUqRJoekArGql1XKwULgwNtWtULp+haEr0Mugk1zdSQ+HKFBb2BYfWPc1I46j7hOMvI+UaRakW1SQcjg61igui7iHrh7vXHPgeCqbQNGtiGpPDzddB048+REM6FYcfinSrAvycFkpJOHG0Awp4a4d9UTGEYte8qKr8mBs0t8XbTfBtkmrIkQh/65c+sugFcOtI2NCOfZeyBPMFSuYOH+HmXmE+lBpJGFC/E3dq4cBWf00/3uytr2S4JJv8nDVpuOBD7zMdxe1IDu9YmYq3+M1fGQ9SiwWMXOPtEsuSKH6qfI2gDamZYX4GIPXceWhSQxz4CgpBo1EeoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CnAPpvlVHEXlDCV6GlQxPTxlPn+1YTrpbgBBrZXkPMU=; b=nGxPjL0cc5S6GG1sRY7/iKssZWcEfx+lFAZeaX8iAPcaSG4WmJSpLSCHwhuisUCtuJbWaI1ZqqGF6j1A15mU7i9MWoTNZHjOJH7a7lwFY0MPWlng8Z1eEVlr8cDuu5bp+aMdSV+Rdx4fsO/W5MNPggM8L7jEe2Zvk6+9rlBG/CzFH2nPp6IzHIsYmcnYDFc5IAJYScfGnxqadWoMd40j69cLg5X3MsW3DpPaXKCKU73fZWRMksluVUkGzjbkgZ40sn731gAvTiidzrUBbqtmZHs6hpGRAQqas85ggxBklN7Zv8BbPFwyFYx5in4SF4VXGABlmGjI1jtwC7oV0pJD3w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CnAPpvlVHEXlDCV6GlQxPTxlPn+1YTrpbgBBrZXkPMU=; b=fzRmabGPfBPt+STYiIl1lZGoX6BslA4Ee20eRlHXSrENv3MRqn1QdiO1ebirgnEI06pnryoPrgec4ODxyCljlOO2maOdUQxuEy2Ao4DSIQmt7ukaG824LOzaKKulgqgVZyO6f1xSjZfJYlcwlU6nEXOUJ9eJPEkZIEqlP7MOvcA=
Received: from DB6PR07MB4165.eurprd07.prod.outlook.com (10.168.23.22) by DB6PR07MB3240.eurprd07.prod.outlook.com (10.175.234.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.9; Thu, 12 Sep 2019 14:55:12 +0000
Received: from DB6PR07MB4165.eurprd07.prod.outlook.com ([fe80::b0f8:f704:829a:10ea]) by DB6PR07MB4165.eurprd07.prod.outlook.com ([fe80::b0f8:f704:829a:10ea%6]) with mapi id 15.20.2263.005; Thu, 12 Sep 2019 14:55:12 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Alan DeKok <aland@deployingradius.com>, Aura Tuomas <tuomas.aura@aalto.fi>
CC: EMU WG <emu@ietf.org>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>
Thread-Topic: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Thread-Index: AdVKJoKyKr1G5+9hQuKLAEK5rLYqPgfSdnOQAABeFAAABkCJgA==
Date: Thu, 12 Sep 2019 14:55:12 +0000
Message-ID: <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com>
In-Reply-To: <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 63a71e70-8cdb-4125-8d75-08d737913697
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB6PR07MB3240;
x-ms-traffictypediagnostic: DB6PR07MB3240:
x-microsoft-antispam-prvs: <DB6PR07MB3240EB3D8B2F7CD87EDBBA3589B00@DB6PR07MB3240.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(366004)(346002)(39860400002)(136003)(189003)(199004)(13464003)(229853002)(71190400001)(71200400001)(58126008)(33656002)(8936002)(76176011)(26005)(446003)(486006)(2616005)(102836004)(7736002)(44832011)(81166006)(81156014)(110136005)(11346002)(476003)(186003)(8676002)(76116006)(14454004)(66446008)(66476007)(478600001)(66556008)(54906003)(6506007)(6116002)(53546011)(86362001)(3846002)(66946007)(64756008)(305945005)(91956017)(6246003)(5660300002)(4326008)(66066001)(6436002)(53936002)(99286004)(25786009)(14444005)(256004)(36756003)(6512007)(316002)(6486002)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR07MB3240; H:DB6PR07MB4165.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: OGptQY9+w9yg0fQckq+ngSW+zft38cbGPmwichI2D8XAwRBuhHAGCsE0Tl7342MmXOYDsFuezOJbpZWLi1BYLW+ZXPxU4Ip32B5zl/h74Nc2/3ftCjtJhGFiqYSNqFr5Uom/Lt1xL4w8Scm4C1eEbrg7ekFT9SjZLued0afmAidEAPjc7Vq/SwkxGgBWtfqw8sWwWqojzPHgiekilibrcQHEDkXS2VLO+ts6icnXGP88gw9kFkDC3WtQZWu1n1NhosOPAfS5DybE0TO6Gl7UwAEzdO0tsqeIHZ500nbl6qEfig/cB2bvCtfQtXOuuwhGqg46fFTSo0axVgUqHQZozrSBzY8euApMYU9KO56i+Sh7R9KxmKYMWILefybNt1qewop1mlTU5Ygssh9LKQS1Zj67PKN83ZnFYQocrmIjtp0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D1CD49F122CE69449E37C45DEEBC78D4@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 63a71e70-8cdb-4125-8d75-08d737913697
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 14:55:12.0732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zYjIjdjENGe58LDRk8epHxQh7ol8z8H4CZawwz9yC4oOSWfWrcGEICDaONSMVVxZp4w8sJABOzgxODosJRI7FETV9RWq9LZsGE7Haxuz4Hk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR07MB3240
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/mLMxrOdsadBkTyzkKyX-4fqUCRo>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 14:55:18 -0000

See comments inline

-----Original Message-----
From: Alan DeKok <aland@deployingradius.com>
Date: Thursday, 12 September 2019 at 15:56
To: Aura Tuomas <tuomas.aura@aalto.fi>
Cc: EMU WG <emu@ietf.org>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Resent from: <alias-bounces@ietf.org>
Resent to: John Mattsson <john.mattsson@ericsson.com>, <mohit@piuha.net>
Resent date: Thursday, 12 September 2019 at 15:56

>    Alan DeKok wrote:    
>    On Sep 12, 2019, at 9:53 AM, Aura Tuomas <tuomas.aura@aalto.fi> wrote:
>   > 
>    > I was looking at the EAP-TLS with TLS 1.3 draft and noticed that it forbids PSK >authentication. Why is that?
    
There was discussion regarding this on the list some years ago. The conclusion was to use the EAP-TLS Type-Code should be exclusively for certificate authentication. At that point, nobody expressed wish to use EAP-TLS with PSK authentication. If someone wants to use EAP-TLS with symmetric keys that should probably be a  new code point.

>      See Section 2.1.2.  TLS 1.3 uses PSK for resumption.  As a result, we *cannot* use PSK for >authentication in EAP-TLS.

I don't understand why this could not be done. My view is that allowing PSK authentication would be quite easy.

>    > While there is the EAP-PSK method, I would much rather use EAP-TLS with PSK because it >provides identity protection and perfect forward secrecy, unlike EAP-PSK. 
>    
>      Use EAP-PWD for that.

Standardizing EAP-TLS should only be done if it has some significant advantages over EAP-PWD, and there are people wanting to implement and use it. 3GPP is e.g. adding  identity protection and perfect forward secrecy to EAP-AKA instead.

>    
>    > In fact, I think EAP-TLS with PSK should become the standard authentication method for >networks that rely on shared secrets, e.g. WPA-Personal. Unifying the Wi-Fi authentication >around EAP would greatly simplify the Wi-Fi protocol stack. Not that I expect it to happen >immediately, but we should not close sensible paths forward.
>    
>      The time to fix that was before TLS 1.3 was standardized.
>    
>      Alan DeKok.

v2.23.0 | Report a Bug | By Email