IETF Logo Mail Archive

Re: [Emu] draft-ietf-emu-eap-tls13-09

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 16 June 2020 09:02 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A086E3A115B for <emu@ietfa.amsl.com>; Tue, 16 Jun 2020 02:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=MYYubVue; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=MYYubVue
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3S8Le44dnIBq for <emu@ietfa.amsl.com>; Tue, 16 Jun 2020 02:02:36 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70041.outbound.protection.outlook.com [40.107.7.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98F23A1156 for <emu@ietf.org>; Tue, 16 Jun 2020 02:02:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ztEuVzrk+hFjyIYUNQDGN2k0GlGsgjxPeVM8xYxUF44=; b=MYYubVueaBh99H5D31aBmWD6w7y1HW4+SZ/MxTEAotIK7S+zshTnPu34EpV18CRVxmcz1vFA62JQwReviC1kOJeAQe71KqOmO+H9cD0QT4w1qist91U6uf6j8wgqO+kXVjXKfLR9Q5NReeQgCPg5zdmWdwW9O7UqwZWrNOUR46I=
Received: from DB6PR07CA0179.eurprd07.prod.outlook.com (2603:10a6:6:43::33) by VE1PR08MB4750.eurprd08.prod.outlook.com (2603:10a6:802:a2::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.21; Tue, 16 Jun 2020 09:02:31 +0000
Received: from DB5EUR03FT005.eop-EUR03.prod.protection.outlook.com (2603:10a6:6:43:cafe::fe) by DB6PR07CA0179.outlook.office365.com (2603:10a6:6:43::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.10 via Frontend Transport; Tue, 16 Jun 2020 09:02:31 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT005.mail.protection.outlook.com (10.152.20.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.18 via Frontend Transport; Tue, 16 Jun 2020 09:02:30 +0000
Received: ("Tessian outbound 79611f28bf50:v59"); Tue, 16 Jun 2020 09:02:30 +0000
X-CR-MTA-TID: 64aa7808
Received: from a1067c7d1e6d.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5B0154D0-2F1F-405C-84C7-0945B1465125.1; Tue, 16 Jun 2020 09:02:25 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a1067c7d1e6d.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 16 Jun 2020 09:02:25 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XFW8LL32vHgtkRMwsvHhfBFgVA1KDBB/Efr3YLuy1xZO38DmcgqH3nYL/u+TG7D6q30SybMpnvUGG8q5Zrsgo5HFVr7aVrHyrE1Bx63z7bmVmnJG17tYnb3+NniI1QfiPXapsWATScmxTiRgwIdu3pVjs+quM+qU+JJ9FJwUn8d34qJDpo4Hw00RmEwmk4WlMQ2p/w/tfiV5e+7e+FafZ2R/0/VE8nM5wvL2anEHcBTdhXpU/OWcMM6me+xrvdxVY7nEYK/h+c/jv8Q5j3F+58J93B36mpeB8JD59B+1YcDAH9vmqOfl0qq8ZQHk3FnirNE2GP4Mb1aGAHjmCgUm4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ztEuVzrk+hFjyIYUNQDGN2k0GlGsgjxPeVM8xYxUF44=; b=j6CwNkkOuhsS+iNT8fMnoqHAIATbVMi0r68GjaZQuqaaW1lcA61f7gjy1vhhwXN4mYcSfz8y+GfNzeTamzfNwamZHULSRZ9lL9CT957QfvpQgybE1dCxKkothIBZmT3DP16rOfdflygoZ4ZInzpvXJVR9yX6U8GY+zTK6vlrAJL8UtROmQkdXY6KiwLuH1HbkpX+eQFZbjWFUkUZQcU3VxTkjtlRwZiCIPJvTY/RA7sbPdrSUM6GUr0SvdWtRG6Y+ycls+SiL1ZkCLik9IJo3LHqeCoEwhsrKRFwsFp4h/IH20QY6bqc9xKgD9kbPrs8ALCUeau3s6aVsTg+uC3pHw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ztEuVzrk+hFjyIYUNQDGN2k0GlGsgjxPeVM8xYxUF44=; b=MYYubVueaBh99H5D31aBmWD6w7y1HW4+SZ/MxTEAotIK7S+zshTnPu34EpV18CRVxmcz1vFA62JQwReviC1kOJeAQe71KqOmO+H9cD0QT4w1qist91U6uf6j8wgqO+kXVjXKfLR9Q5NReeQgCPg5zdmWdwW9O7UqwZWrNOUR46I=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB4178.eurprd08.prod.outlook.com (2603:10a6:208:133::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3088.24; Tue, 16 Jun 2020 09:02:24 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::39f5:e4d9:51ff:eae%7]) with mapi id 15.20.3088.029; Tue, 16 Jun 2020 09:02:24 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] draft-ietf-emu-eap-tls13-09
Thread-Index: AdY/BkwoNfvYGwBmQuGwz/IONkiEYwBjQ/wAAKIqb4AAKCu1oA==
Date: Tue, 16 Jun 2020 09:02:24 +0000
Message-ID: <AM0PR08MB371618D7FCE9EB29F2327B66FA9D0@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB37167810AD2FA9E36DAE2418FA810@AM0PR08MB3716.eurprd08.prod.outlook.com> <AM0PR08MB37169869A2C015F2B701A332FA810@AM0PR08MB3716.eurprd08.prod.outlook.com> <62ec9fad-583e-ed51-1f6c-dcfa3835c0ec@ericsson.com>
In-Reply-To: <62ec9fad-583e-ed51-1f6c-dcfa3835c0ec@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: df791d93-9e68-490b-b134-cceecce990b9.0
x-checkrecipientchecked: true
Authentication-Results-Original: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [156.67.194.193]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: bdc570b4-8128-46f1-4ecf-08d811d40059
x-ms-traffictypediagnostic: AM0PR08MB4178:|VE1PR08MB4750:
X-Microsoft-Antispam-PRVS: <VE1PR08MB47509A1D755E5B8B720DCB4FFA9D0@VE1PR08MB4750.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 04362AC73B
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: wRZ9bo2k33X7k17fkamSKxPeYCj1q8eK2C9SBepmLfYdDQJ/q+i+PMbhRo8f4v6HlxGqMIMtE0qo6Kah/zHkMWIRwgnjdBgr+YqzpBqCbHKibGfJwkSHVbsXjezWHNHbRmbgvX79if9wm6fgsYWz7viYWC184RqNVUNwAAZAunvpyWpo3GeLUq4/G4YiM7KM37diAeS497t7BgH6BsrbDKkknoOwMJxamgugDiOXZnxfLpMVcIZnMRDpyfwheoVlPAvjq7r+IQgm8TSisaGEgKcW5cHrq50rMOI/XEiyYS+3SrzRIk3z7D6TQ6TWKi50eX6OL4AJN4AB4niiHgdOt3YgqoCzSKjADdDxjN3FabFsyj3UgwdYQaw52SAYmyX+pf96bZh5djOPKcV8UJkNMw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(136003)(396003)(366004)(39860400002)(76116006)(66446008)(66476007)(66556008)(64756008)(66946007)(52536014)(6506007)(186003)(7696005)(53546011)(86362001)(5660300002)(2906002)(55016002)(26005)(33656002)(9686003)(166002)(8936002)(8676002)(966005)(110136005)(316002)(83380400001)(71200400001)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: I1QJQwudeXnU0fGPeOQh9SrACN/degKobihcoozfI7+vonQpbMFf9gHW5wOyRx+iao/m1Of/DVvaduj47PVsUGXsnFaqf0YLqWb9ckYKVS60hPZBKzna1Y+QwPJW7sqC0flIdRfM7RbXGSVg4eDIgbCq5twhcamjpixNH6xXaV+V8VeuxdgeXZg8WxXmKZoHl7yxeaZQyI+7Xp6J7MEC0ODVi3FGpdzwFNqmLGy2m6jXXntYRiymgXBxEbaCCDNiHBC5GqnyU+gx8ybihoGlRgvuCaCtlnVg0nzLRIi6ehA+YJNT1TR7chIZNyQOAaCOOKJhsu+8ZHnPqJZmWZj1ruIJgephKaxsZeFcblf7PNZ5ViGEkbbOZU6DcVS7BzBx1t4Zj16nlM19FvXgrvJABZ7CTKd363oxd3tQFVp2MzvxuYuoJ1Yyjc4zAaGZAbRq4HSWHEjbBnvFNhkw3+CgcXvZ7pPyOxH8AwjUTOifYTZbgac5IuQJkwc7GuoS4uRC
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB371618D7FCE9EB29F2327B66FA9D0AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4178
Original-Authentication-Results: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT005.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(136003)(376002)(396003)(346002)(39860400002)(46966005)(81166007)(33656002)(186003)(26005)(356005)(2906002)(55016002)(9686003)(8676002)(8936002)(478600001)(7696005)(966005)(70586007)(5660300002)(52536014)(82310400002)(82740400003)(83380400001)(86362001)(47076004)(336012)(110136005)(166002)(6506007)(53546011)(70206006)(33964004)(316002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 7abd8f06-b19e-4256-a79e-08d811d3fc55
X-Forefront-PRVS: 04362AC73B
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: FaMFCBHJK+5CrL4zlHMQWi5r7XWZPXBXQieV6eX61U+VkIeNuuEUsX+PNYhDiFOWdwhTGTsWvOGs1c3M6gE6/72ojrzUgHJxFrE9pdXCq58f2XJKVoLBFt4ehA6CyOhaWqE/isLsDzDzlFMaeAwnXjzKwAux+wdpgXiowlMcPQ9k0gEH9qGCcJEaK3xKzXPO+OXdHSdIQBQTDvxz1vG6NkQA4IIYxr5rP3cDFUjQM+aa3jkDHcX2wusA/aTweXjwl1ORdN31RwykUHZGwCLpNy9rY2USosHT2NkdtIAIZDyxHP7ShaloQqKRhZkphaxBJm96feXf4vu47lFspb9Y/9u+Mr+4D5lS/AKojXBZT9NLVroQAxffuGdvahnvdjaqUcwKRaMRMpWy17NsqbbNeJ+TOWAA7iSwGb7LvfkDRiE6JDiL/gyO7HblxrfQElFOYPx6f5yz3Q0oKgIA751pMlCvEI1issHTmB2yWmYsmMM=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jun 2020 09:02:30.9437 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bdc570b4-8128-46f1-4ecf-08d811d40059
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4750
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/NGOtS72Wcm6fdNyy86JwDYZ3bxI>
Subject: Re: [Emu] draft-ietf-emu-eap-tls13-09
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 09:02:39 -0000

This is, of course, a decision of the group and the main use cases of a TLS-based EAP method is in the use of public key-based authentication.
Technically, there is, however, no reason why this wouldn’t work.

Ciao
Hannes

From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
Sent: Monday, June 15, 2020 3:51 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; emu@ietf.org
Subject: Re: [Emu] draft-ietf-emu-eap-tls13-09


Hi Hannes,
On 6/12/20 11:29 AM, Hannes Tschofenig wrote:

A short follow-up on my own review:



I wrote:



"

Pre-Shared Key (PSK) authentication SHALL NOT be used except

   for resumption.

"

What you want to say that that EAP-TLS MUST NOT use external PSKs. I wonder why you want to rule that use case out? It is a perfectly fine use case for TLS 1.3 and there is even the possibility to use PSK with ECDHE. What is the motivation?



I noticed now that the working group had a discussion about this already and that there is a new document being published specifically focused on EAP-TLS-PSK-based authentication. Hence, ignore the second part of my comment.

Indeed. There has been lots of discussion on this topic. To summarize:

RFC 5216 explicitly required certificate based TLS authentication with the following text:

   If the EAP server is not resuming a previously established session,

   then it MUST include a TLS server_certificate handshake message, and

   a server_hello_done handshake message MUST be the last handshake

   message encapsulated in this EAP-Request packet.



   The certificate message contains a public key certificate chain for

   either a key exchange public key (such as an RSA or Diffie-Hellman

   key exchange public key) or a signature public key (such as an RSA or

   Digital Signature Standard (DSS) signature public key).
Bernard Aboba opined that external PSK based authentication shouldn't be added to EAP-TLS in this update. Instead a separate document (with a separate EAP method type) should do that. Hence, we now have: https://tools.ietf.org/html/draft-mattsson-emu-eap-tls-psk-00. For reference, here are some email conversations containing discussion on this topic:

- https://mailarchive.ietf.org/arch/msg/emu/FtxRJHTjzSY0yVdVr8Vjyk9D-vk/
- https://mailarchive.ietf.org/arch/msg/emu/CRh3VXLDnpJFFIbHWJAjiOgfzAg/
- https://mailarchive.ietf.org/arch/msg/emu/nYrIA4PKqk2mrUoNvAtFh7S-Xb8/
- https://mailarchive.ietf.org/arch/msg/emu/hVG357HXqvy0EjZ2yrOLdspH53o/

--Mohit





Ciao

Hannes



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.



_______________________________________________

Emu mailing list

Emu@ietf.org<mailto:Emu@ietf.org>

https://www.ietf.org/mailman/listinfo/emu

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email