IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Alan DeKok <aland@deployingradius.com> Mon, 11 November 2019 19:41 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A291120A32 for <emu@ietfa.amsl.com>; Mon, 11 Nov 2019 11:41:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gi5SJda3WqnA for <emu@ietfa.amsl.com>; Mon, 11 Nov 2019 11:41:45 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBF55120219 for <emu@ietf.org>; Mon, 11 Nov 2019 11:41:40 -0800 (PST)
Received: from [192.168.46.58] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id BC30E648; Mon, 11 Nov 2019 19:41:38 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <MN2PR11MB390100371FD5EF13342AA3E4DB740@MN2PR11MB3901.namprd11.prod.outlook.com>
Date: Mon, 11 Nov 2019 14:41:37 -0500
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C6ED9B0C-88D4-42C6-B8FE-47261BE65980@deployingradius.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com> <MN2PR11MB390137BA293101102515A3AFDB780@MN2PR11MB3901.namprd11.prod.outlook.com> <0D21C6F3-DCF7-41FA-BEFB-9408575524A8@deployingradius.com> <CAOgPGoDMkMUCbdY6WL+StR22d2qkq87ycGQbVUncExYW_+-8Tg@mail.gmail.com> <2FF842AE-0FA8-40EA-9A82-672E3068EBAB@deployingradius.com> <MN2PR11MB390100371FD5EF13342AA3E4DB740@MN2PR11MB3901.namprd11.prod.outlook.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/px2HV7DXlPKyNnMD6YR63O4dz-Y>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 19:41:50 -0000

On Nov 11, 2019, at 12:52 PM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> 
> [ofriel]  Is the primary reason they MUST NOT be copied because of encoding differences? UTF-8 vs. TLS raw bytes?

  Yes.  EAP Identities are UTF-8 encoded strings.  Non-compliant identities will likely result in the packet being dropped.

> On the privacy aspect, as the TLS PSK ID is sent unprotected and unencrypted in cleartext in the ClientHello, what information leakage are we preventing by not sending that same data in cleartext in the Identity Response?

  Not much.  Except that if we send the data in the Identity, it MUST be encoded in some format which is acceptable to EAP, RADIUS, etc.

  Further, RFC 8446 says that PSK Identities can be be up to 2^16-1 octets in length.  While EAP can carry large identities, RADIUS cannot.  So we're left with a practical limitation of ~250 octets for the identity field.

  At that point, it's best to recommend that the EAP Identity carry only an anonymous NAI.  That avoids the issue of PSK length and encoding entirely.  Further, it means that all uses of EAP-TLS have the same recommendation: the Identity is an anonymous NAI.

> This is a different question to the difference between an extern PSK and a resumption PSK. That is implementation specific and not defined in TLS1.3

  i.e. "good luck".  :(

  It's difficult for implementors to do the right thing in such a situation.

> [ofriel] I agree some implementation advice would be good here. Should this be in EAP, or should we push for a TLS1.3 errata? It's the same advice that a standard TLS1.3 server implementor needs. OpenSSL for example defines its own resumption format, and provides a callback hook to check for extern PSKs, and it looks like OpenSSL lets the application check for an extern PSK match first before checking its internal resumption cache: https://github.com/openssl/openssl/blob/master/ssl/statem/extensions_srvr.c#L1093. But of course that is TLS stack specific. We would need to document guidance olong the lines of checking for TLS stack behaviour.

  I think it's best to give guidance in this document.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email