[Emu] EAP-TLS 1.3 - few more comments
Oleg Pekar <oleg.pekar.2017@gmail.com> Sun, 16 May 2021 08:55 UTC
Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7923A0B51 for <emu@ietfa.amsl.com>; Sun, 16 May 2021 01:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvA4aFX90elS for <emu@ietfa.amsl.com>; Sun, 16 May 2021 01:55:08 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43FAA3A0B4A for <emu@ietf.org>; Sun, 16 May 2021 01:55:08 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id i7so2848615ioa.12 for <emu@ietf.org>; Sun, 16 May 2021 01:55:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=qxs8wYY5LBlGff2/jY4SXzNoDCcQh6InUY7MYyvPI5k=; b=Akgo2XWIK4wfYbRqyV8lI7U62rVpUyoFr8HnwBPgYyp62doYHcK21Xt8lL33/t4OHU ACiYvERwvEpbeChWzchQbnCRM1gVvmsTHL6KFh7n7E/PXMeRpoU+fHNyVjRaQ2HDJCCb yu/HqJM7cxyfhZUUQbpHxr2k/6xfWedDmiDXTKguuxPi0R+0Ft8X9yEzStHeNRJIOqkB EeWBOPN0sifORBIW8ICam8gIfrik9ea8PuIVyWn4nyFQVUBRl3dS4dxMWs8UDtHZNXGP bOudm/QOJtfDJ6/4rAWII5Z7+5yHil7yPiMIfD0eWuysS2SUl5IQcebBr69HFzaqBKjW Zv8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=qxs8wYY5LBlGff2/jY4SXzNoDCcQh6InUY7MYyvPI5k=; b=KJTcExZ5IbsOHbvK6/K2W7FzR9YZ1EMEKvIAL951jKwXDgBmtlfFDZ2x2Vh/1Y8Rqj 5xqaZGCpmQIMWrOW8noCB7BZmaHJWeK0cof2mYqvGYEk+QkLQeq3qhg1sy5vXfUEL9zM TvB7YvlyFkXmRMMIHQKi3M9ykztgQPIKS8Rai6ZsVAOdqKWgLcoRsZ3EU5won4WgMp01 qbSXiZ2seOvL7Pj2Qd3z3/M4S7DEOrdu6vkvIFMOshi73+gzlle6xxLv2t2qNGfdaYw4 T/5E3CbpM69B+ZOf/RDwnNUV5ic8/PC1FSsVqNAZWhgQ/Zv7vF471D89gKtrnijgLb+e GFEw==
X-Gm-Message-State: AOAM531TfkCXodHiez0uapV1dpbsdW0g8DdmTV/NysPwnT+uyAIz0cmP mFpqn/WsMU3xYsEY2GvR8BS2kJ4oJcsBs/lcgwePwo9cve4=
X-Google-Smtp-Source: ABdhPJxT8G9+IYpPUY3t2OMMGKil3o40hVJwYpA9cHTH80fqNFd24lJ06FYRC587MTTuCIqsBR918sVA493jJqG8aiY=
X-Received: by 2002:a02:a918:: with SMTP id n24mr51106207jam.125.1621155306728; Sun, 16 May 2021 01:55:06 -0700 (PDT)
MIME-Version: 1.0
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Sun, 16 May 2021 11:54:55 +0300
Message-ID: <CABXxEz8dechYVv=a+jnLmKNS3S8zuZpY7Hm-VSSj8M4-Df-E6A@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002eeecf05c26ea2e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/nX2bwFF9c054dDAtEn7dDDd5qaQ>
Subject: [Emu] EAP-TLS 1.3 - few more comments
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 May 2021 08:55:13 -0000
Hi, few more comments on the draft #15 https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/15/: 1) 2.1.1. Authentication The full handshake in EAP-TLS with TLS 1.3 always provide forward secrecy by exchange of ephemeral "key_share" extensions in the ClientHello and ServerHello (e.g. containing ephemeral ECDHE public keys). —- comment: should say “provides” ————————————————————— 2) 2.1.1. Authentication After the EAP-TLS server has received an empty EAP-Response to the EAP-Request containing the TLS application data 0x00, the EAP-TLS server sends EAP-Success. -- comment: the phrase “empty EAP-Response” may be confusing. EAP-TLS RFC [RFC 5216] calls such messages as "EAP-Response packet of EAP-Type=EAP-TLS and no data" (Section 2.1.3. Termination, 2.1.5. Fragmentation). Suggest continue using the old RFC terminology since Figure 1 preserves the same messages names. ————————————————————— 3) 2.1.1. Authentication Figure 1: EAP-TLS mutual authentication -- comment: "TLS Application Data 0x00)" lacks opening round bracket ————————————————————— 4) 2.1.2. Ticket Establishment Figure 2: EAP-TLS ticket establishment -- comment: "TLS Application Data 0x00)" lacks opening round bracket ————————————————————— 5) 2.1.3. Resumption Figure 3: EAP-TLS resumption -- comment: "TLS Application Data 0x00)" lacks opening round bracket ————————————————————— 6) 2.1.3. Resumption Providing a "key_share" and using the "psk_dhe_ke" pre-shared key exchange mode is also important in order to limit the impact of a key compromise. When using "psk_dhe_ke", TLS 1.3 provides forward secrecy meaning that key leakage does not compromise any earlier connections. It is RECOMMMENDED to use "psk_dhe_ke" for resumption. -- comment: The recommendation may be interpreted ambiguously. Is it recommended to TLS server to reject EAP-TLS session resumption from EAP-TLS peer and fallback to full handshake when there's no "psk_dhe_ke" extension? ————————————————————— 7) 2.1.4. Termination In TLS 1.3 [RFC8446], error alerts are not mandatory to send after a fatal error condition. Failure to send TLS Error alerts means that the peer or server would have no way of determining what went wrong. EAP-TLS 1.3 strengthen this requirement. Whenever an implementation encounters a fatal error condition, it MUST send an appropriate TLS Error alert. -- comment: It there a way to enforce sending TLS Error alert? Since the conversation is probably failed anyway after the case that requires sending TLS Error alert - there is no real feasible enforcement to be specified. I remember a lot of suffering due to EAP-TLS peers just broke connection with no indication of what was wrong, so admins cannot really reveal the cure for the failed authentication. ————————————————————— 8) 2.1.4. Termination Figure 6 shows an example message flow where the EAP-TLS server authenticates to the EAP-TLS peer successfully, but the EAP-TLS peer fails to authenticate to the EAP-TLS server and sends a TLS Error alert. -- comment: "the EAP-TLS peer fails to authenticate to the EAP-TLS server and sends a TLS Error" - there's an impression from this text that EAP-TLS peers sends a TLS error. However it is EAP-TLS server that does it. Should be clarified. Example of suggestion: Figure 6 shows an example message flow where the EAP-TLS server authenticates to the EAP-TLS peer successfully, but the EAP-TLS peer fails to authenticate to the EAP-TLS server and the server sends a TLS Error alert. ————————————————————— 9) 2.1.5. No Peer Authentication -- comment: Can "TLS CertificateRequest" message still be sent by EAP-TLS server? Should EAP-TLS peer silently discard it or reject the connection in case it is sent but EAP-TLS peer doesn't own a credentials to authenticate? ————————————————————— 10) 2.1.5. No Peer Authentication Figure 7: EAP-TLS without peer authentication -- comment: "TLS Application Data 0x00)" lacks opening round bracket ————————————————————— 11) 2.1.6. Hello Retry Request Figure 8: EAP-TLS with Hello Retry Request -- comment: "TLS Application Data 0x00)" lacks opening round bracket ————————————————————— 12) 2.2. Identity Verification EAP peer implementations SHOULD allow users to configuring a unique trust root (CA certificate) and a server name to authenticate the server certificate and match the subjectAlternativeName (SAN) extension in the server certificate with the configured server name. -- comment: What is the configured server name? Do the supplicants that play EAP-TLS peer role usually have such configuration? ————————————————————— 13) 2.2. Identity Verification If server name matching is not used, then peers may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network. --comment: What is meant by "EAP server for the network"? ————————————————————— 14) 2.4. Parameter Negotiation and Compliance Requirements While EAP-TLS does not protect any application data except for the Commitment Message, the negotiated cipher suites and algorithms MAY be used to secure data as done in other TLS-based EAP methods. -- comment: The term "Commitment Message" has never been introduced before in the document so it is confusing to see it in the middle section. However this term was used in the previous versions of the draft (last time in version #13). ————————————————————— 15) 5.6. Authorization This information can include, but is not limited to, information about the authenticator, information about the EAP-TLS peer, or information about the protocol layers above or below EAP ( port numbers, WiFi SSID, etc.). -- comment: Suggest adding "...port numbers, SSID and the data previously collected for the EAP-TLS peer". This way we can mention including the data collected via MDM, Posture Validation and other Network Access Control management services into making authorization decision. ————————————————————— 16) 5.7. Resumption As suggested in [RFC8446], EAP-TLS peers MUST NOT store resumption PSKs or tickets (and associated cached data) for longer than 7 days, regardless of the PSK or ticket lifetime. -- comment: This sentence repeats exactly the sentence in "2.1.2. Ticket Establishment", just without mentioning the number of seconds in 7 days, suggest removing it. Reference to the previous occurrence in "2.1.2. Ticket Establishment": Note that TLS 1.3 [RFC8446] limits the ticket lifetime to a maximum of 604800 seconds (7 days) and EAP-TLS servers MUST respect this upper limit when issuing tickets. ————————————————————— 17) 5.4. Certificate Revocation It is RECOMMENDED that EAP-TLS peers and EAP-TLS servers use OCSP stapling for verifying the status of the EAP-TLS server's certificate chain. -- comment: Suggest mentioning OCSP Stapling RFC 6961 here. ————————————————————— 18) 6.1. Normative References -- comment: Suggest adding OCSP Stapling RFC to the list of references: [RFC6961] The Transport Layer Security (TLS) Multiple Certificate Status Request Extension ————————————————————— Regards, Oleg
- [Emu] EAP-TLS 1.3 - few more comments Oleg Pekar
- Re: [Emu] EAP-TLS 1.3 - few more comments Joseph Salowey
- Re: [Emu] EAP-TLS 1.3 - few more comments Oleg Pekar
- Re: [Emu] EAP-TLS 1.3 - few more comments John Mattsson