IETF Logo Mail Archive

Re: [Emu] TEAP Request-Action TLV

Oleg Pekar <oleg.pekar.2017@gmail.com> Wed, 06 May 2020 19:15 UTC

Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF4E3A0B04 for <emu@ietfa.amsl.com>; Wed, 6 May 2020 12:15:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irqKzslUHLNG for <emu@ietfa.amsl.com>; Wed, 6 May 2020 12:15:24 -0700 (PDT)
Received: from mail-oo1-xc2d.google.com (mail-oo1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BC113A0AEE for <emu@ietf.org>; Wed, 6 May 2020 12:15:23 -0700 (PDT)
Received: by mail-oo1-xc2d.google.com with SMTP id e18so737955oot.9 for <emu@ietf.org>; Wed, 06 May 2020 12:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=so92c3UalG1VWfbj+TTaL69syMWfRDdGVHjJeUMrXC8=; b=MIUhG0265InHvdPsafwOGSFkaMdDpg6h7xz8MZeepidVwGSf5Rd0QH3mkhzYkyMnmC iGd1dtn0A2NuaK9n3qg0SQ4+kwexKFxPXV4aYbo1JmGnjeifqnrH6c+x42nzEa/56opY P1NzdKrqiJT8ls1ZUwcgVdUvoLD+CFeKEc52c8LPCiEXMcVDb9GXtfiU5Yv5O2ZZjpoY 9Xo1UrCFKTLnolQBOgWkYrRDbCcgbLxgY6QzSAAMd/i4Jxh1yHjFuSBmOJEbmE2NudhF ZVJetCQl9H3Pit3d2WYFNni5k7Ei+roz9RXBKSopntStH5odL2U7m35w2jWXuCbMX6c5 ILDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=so92c3UalG1VWfbj+TTaL69syMWfRDdGVHjJeUMrXC8=; b=e3xpMbSUW1mtSDOzOh8uBNHNsiOEPuA1BwB77xhk5oQeAeGC33ARgBQFAAlOVxzoRT RFDg10IipiR4nqxsK/PM0I+iKS29yA/oh1A5+rLAeQW7lg7xT4W+4eGXcjOaZz7TT8us v0ZqjuoNuqrtdX5qnOlrm6fgKt56f0U7aPeiJ9/O7EJcS/0OpSvdQgufC/0JsyNdH1uz DSltyEZ5ye06m3YZwANbhSxywTEaFyioWyr3xU7JZYOuyISxsD+61Qhnc4/ATM1Vqa+4 t/v6tacK1djXbvckaGz9TuJdnQIFZTxQB97j6xMlfeMADTegdYVUgARzraZXLI3LFdjM Ad2A==
X-Gm-Message-State: AGi0PuarNfb15RYoFe4rAzq0jjT4lTkX2+sFuHDlg63bCAgrsQhlYSn9 SkBMRafTIwefETmgWBhLwsC7J3Nne4kJNAYL9rU=
X-Google-Smtp-Source: APiQypK9SGrJ8gJaAh4DnjQhKxRVqDDB/YKosqpe+cLhjQhvJUDPeZBakANDynbiBP5EypwPYzLAVMmAKMc5nUxY+2I=
X-Received: by 2002:a4a:9285:: with SMTP id i5mr8288478ooh.50.1588792520878; Wed, 06 May 2020 12:15:20 -0700 (PDT)
MIME-Version: 1.0
References: <7DF5C6C1-5176-417A-837F-4849262DFA35@cisco.com> <CABXxEz-GTVaLE2yx+j_Ex_X_YCYJxC246NQvyCSAB5GjSnSXRg@mail.gmail.com>
In-Reply-To: <CABXxEz-GTVaLE2yx+j_Ex_X_YCYJxC246NQvyCSAB5GjSnSXRg@mail.gmail.com>
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Wed, 06 May 2020 22:15:09 +0300
Message-ID: <CABXxEz-kXFMdgJTaFy5oU3vGQ3ye9o=xwaCSFiKbvtE7pr9JHQ@mail.gmail.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d42c6b05a4ff9541"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/qvLwiEEQ9nJXrMbIWvm2mNwXnP4>
Subject: Re: [Emu] TEAP Request-Action TLV
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 19:15:30 -0000

Eliot gave me some hint offline and here's what we can do in TEAP with
regards of certificate provisioning/enrollment/renewal.

In the current TEAP RFC, when the peer wants to get list of Trusted Roots
it sends Trusted-Server-Root TLV with credential type field - a constant
value 1 for PKCS#7 and with no other content. The server replies
with Trusted-Server-Root TLV and puts PKCS#7 inside it. So there's a kind
of request-response with the same TLV.

However for certificate request the peer should send PKCS#10 TLV and the
server should response with PKCS#7 TLV. It shows some inconsistency on one
hand and gives no possibility for the server to control certificate renewal.

Suggest closing that gap by introducing a new "Peer-Certificate TLV" with
exactly the same format as Trusted-Server-Root TLV.

   - When the peer wants to request a certificate it
   sends "Peer-Certificate TLV" with credential type field equal to 1
   for PKCS#7 and optional PKCS#10 TLV as a content
   - If no PKCS#10 TLV attached then the server can just renew the existing
   certificate if it has such capabilities and required data (or can say that
   the peer wants a certificate based on its current certificate and the
   current server policies).
   - If PKCS#10 TLV is attached then the server generates peer certificate
   according to the data in the request
   - If the server wants to generate peer certificate it may reply with
   "Peer-Certificate TLV" with credential type field equal to 1 for PKCS#7
   and PKCS#10 TLV as a content.
   - If the server wants the peer to send certificate request with all the
   data - it sends "Peer-Certificate TLV" with credential type field equal to
   1 for PKCS#7 and no content
   - We don't need to use Request-Action TLV in the whole flow

Would that work?

Regards
Oleg

On Wed, May 6, 2020 at 4:57 PM Oleg Pekar <oleg.pekar.2017@gmail.com> wrote:

> Hi Eliot,
> Few thoughts:
>
>    - If the current client's certificate was requested via TEAP by
>    PKCS#10 TLV - then maybe it makes sense for the client to send
>    Request-Action TLV + PKCS#10 TLV again with the same certificate parameters
>    - If the current client's certificate was not requested via TEAP -
>    then there's no evidence that the certificate renewal will be addressed
>    (maybe TEAP is not connected to any CA)
>    - If the current client's certificate was obtained from the external
>    CA (e.g. via SCEP or EST) - then there's no evidence that the certificate
>    renewal will be addressed
>    - If the current client's certificate was preinstalled - then the
>    client may not have a clue what does it want and will be unable to
>    fill PKCS#10 request. On the other hand, the CA that TEAP server is
>    connected to could be unable to generate certificate with exactly the same
>    properties and the current client certificate. Simple example: the current
>    certificate is ECDSA and the CA can generate RSA only. Hard example: the
>    current client certificate contains vendor specific extensions like Policy
>    or Template Name. So it will be hard to put those extensions to the
>    generated certificate
>
> Regards
> Oleg
>
> On Thu, Apr 30, 2020 at 4:19 PM Eliot Lear <lear=
> 40cisco.com@dmarc.ietf.org> wrote:
>
>> All:
>>
>> Here is a circumstance one could easily imagine, and in fact we attempted
>> to address in draft-lear-eap-teap-brski:
>>
>> Client requires a new certificate for some reason or another.  Perhaps
>> its is about to expire, or perhaps the signer has been compromised, or what
>> have you.
>>
>>
>> We were thinking that we could use the Request-Action Frame for this
>> purpose with a type of PKCS#10.  But that now seems wrong, as the language
>> in the draft states that one appends a Request-Action frame with a full
>> TLV, and not just a *type, * and further that the other end process the
>> TLV.  In looking at Jouni’s code, he is doing precisely that with the PAC
>> TLV.
>>
>> And so it seems we have three choices:
>>
>>
>>    - Create a new TLV that has a length of *two* that can be used in a
>>    REQUEST_ACTION frame.
>>    - Create a new TLV that is what we thought we meant: here is a list
>>    of two(ish)-byte types whose TLVs I want you to send to me.
>>    - Hard code the ordering of requests so everyone knows what to expect.
>>
>>
>> Each of these has its own problems.
>>
>> The first requires that we create a new EAP TYPE for TLV one end needs
>> the other to send, but it’s pretty easy to process. The second requires
>> extra processing but requires less standardization.  The last seems to go
>> against the EAP model and reduces deployment flexibility.
>>
>> Thoughts?
>>
>> Eliot
>> _______________________________________________
>> Emu mailing list
>> Emu@ietf.org
>> https://www.ietf.org/mailman/listinfo/emu
>>
>

v2.23.0 | Report a Bug | By Email