IETF Logo Mail Archive

Re: [Emu] TEAP Request-Action TLV

Oleg Pekar <oleg.pekar.2017@gmail.com> Wed, 06 May 2020 13:57 UTC

Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED473A076C for <emu@ietfa.amsl.com>; Wed, 6 May 2020 06:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWVsUI0gHSRa for <emu@ietfa.amsl.com>; Wed, 6 May 2020 06:57:46 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE503A076F for <emu@ietf.org>; Wed, 6 May 2020 06:57:46 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id k133so1575630oih.12 for <emu@ietf.org>; Wed, 06 May 2020 06:57:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=v/C5o3fgUTZoGg62DxxvWobTlysV9tlC0VCvGiKqTF4=; b=OQCUE/QNfEG6Alsnpju69BtH14Ez1xen7AG5yRH5MooCETXTapWGts5JHF6SyHE0rN Jig73W9m8OjSbsiPBazAt1T0WYWypa/8qaWzZoNWIMhHEL6vYPuuY789cmirlitnd02d CpHwaie+YxaWU0cdp9GRCoX2BMY5eETgFg+yU9iKoW7tTpEX4QohujOORDK+VGoFuKhZ +QFA1BvWgfvzegx6TTM2THgTubHOjaybtt8dKqbts0rcww207QEuRneGGTY+mO1IeVA/ jfxRlGCe4hzTt9dHg8tzLSk6FymWOFvor5QrC+iFySJ0bnl0BouFeLXWSApazp3XJW7P 489w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=v/C5o3fgUTZoGg62DxxvWobTlysV9tlC0VCvGiKqTF4=; b=iVr6ZCvk8XhiSJmFOpchZa4IMWVXFE6qGa8kP1UHcSUmUlmUPGeXl8SCz08s4v2ffa Uag6xvNUKSgT0oTkDPUofgb4TCM6rNhLWneaLso6vUHCqwbjp895uwH+RWpBJ14CzS6u Sj8F75WGeCyPu6bzHTUoEeoFhB6FiRArKf7H+G2TOwhslTTn50FNDHkyMRLD8mDEU6GE QQJVxmjpoOti0y/iVNVf8swOn/BRI+sW1/B4tmZmbcH82UXBvuL0DJfJOInMnnymfyE2 3fcA/yo8aFQRH/9EdH8ltoDTlGxMVGUaKWDu9uErC39C2eAN4D6oLpGnDyr4E2bgOxrA 7ZcA==
X-Gm-Message-State: AGi0PubA7dpL2O+Ejg8vX1cnnpUw3bm6tTsFVha8iOoKyI4+6XNYS/go 7ABZWpPAU4+sflF2nzGt3AHMgNXw+0PFETHwsJJ5dnt0
X-Google-Smtp-Source: APiQypL9Z+Wrzn+BPOp45SJCsxmuGc/m1mtCHkNtgbVO31Drlyh+1S5xNH5YuwmC9MzACJvBI0hLS3y/otcOurrVOWU=
X-Received: by 2002:a54:4115:: with SMTP id l21mr2810197oic.18.1588773465506; Wed, 06 May 2020 06:57:45 -0700 (PDT)
MIME-Version: 1.0
References: <7DF5C6C1-5176-417A-837F-4849262DFA35@cisco.com>
In-Reply-To: <7DF5C6C1-5176-417A-837F-4849262DFA35@cisco.com>
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Wed, 06 May 2020 16:57:34 +0300
Message-ID: <CABXxEz-GTVaLE2yx+j_Ex_X_YCYJxC246NQvyCSAB5GjSnSXRg@mail.gmail.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000a482605a4fb260a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/qSsZA2Sc6XDGnD4u46httiir5FU>
Subject: Re: [Emu] TEAP Request-Action TLV
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 13:57:49 -0000

Hi Eliot,
Few thoughts:

   - If the current client's certificate was requested via TEAP by PKCS#10
   TLV - then maybe it makes sense for the client to send Request-Action
   TLV + PKCS#10 TLV again with the same certificate parameters
   - If the current client's certificate was not requested via TEAP - then
   there's no evidence that the certificate renewal will be addressed (maybe
   TEAP is not connected to any CA)
   - If the current client's certificate was obtained from the external CA
   (e.g. via SCEP or EST) - then there's no evidence that the certificate
   renewal will be addressed
   - If the current client's certificate was preinstalled - then the client
   may not have a clue what does it want and will be unable to fill PKCS#10
   request. On the other hand, the CA that TEAP server is connected to could
   be unable to generate certificate with exactly the same properties and the
   current client certificate. Simple example: the current certificate is
   ECDSA and the CA can generate RSA only. Hard example: the current client
   certificate contains vendor specific extensions like Policy or Template
   Name. So it will be hard to put those extensions to the generated
   certificate

Regards
Oleg

On Thu, Apr 30, 2020 at 4:19 PM Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
wrote:

> All:
>
> Here is a circumstance one could easily imagine, and in fact we attempted
> to address in draft-lear-eap-teap-brski:
>
> Client requires a new certificate for some reason or another.  Perhaps its
> is about to expire, or perhaps the signer has been compromised, or what
> have you.
>
>
> We were thinking that we could use the Request-Action Frame for this
> purpose with a type of PKCS#10.  But that now seems wrong, as the language
> in the draft states that one appends a Request-Action frame with a full
> TLV, and not just a *type, * and further that the other end process the
> TLV.  In looking at Jouni’s code, he is doing precisely that with the PAC
> TLV.
>
> And so it seems we have three choices:
>
>
>    - Create a new TLV that has a length of *two* that can be used in a
>    REQUEST_ACTION frame.
>    - Create a new TLV that is what we thought we meant: here is a list of
>    two(ish)-byte types whose TLVs I want you to send to me.
>    - Hard code the ordering of requests so everyone knows what to expect.
>
>
> Each of these has its own problems.
>
> The first requires that we create a new EAP TYPE for TLV one end needs the
> other to send, but it’s pretty easy to process. The second requires extra
> processing but requires less standardization.  The last seems to go against
> the EAP model and reduces deployment flexibility.
>
> Thoughts?
>
> Eliot
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email