Re: [Emu] EAP-TLS 1.3 Section 2.2 text

Alan DeKok <aland@deployingradius.com> Wed, 19 May 2021 12:58 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE96D3A0D39 for <emu@ietfa.amsl.com>; Wed, 19 May 2021 05:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLF1dZpR9L_P for <emu@ietfa.amsl.com>; Wed, 19 May 2021 05:58:33 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7197D3A0D2E for <emu@ietf.org>; Wed, 19 May 2021 05:58:33 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 7DCA2549; Wed, 19 May 2021 12:58:30 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.6\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CABXxEz9th6-JOgHKqEC5W7XQoi3NKUN3_8F3O_14k6nAdwmgRQ@mail.gmail.com>
Date: Wed, 19 May 2021 08:58:29 -0400
Cc: Russ Housley <housley@vigilsec.com>, EMU WG <emu@ietf.org>, Joe Salowey <joe@salowey.net>, stpeter@mozilla.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <F6B720FD-CF54-4953-A598-C6713CC10042@deployingradius.com>
References: <CAOgPGoBDcbDxGB3_Qy_xXymhnxrfMaOPNP545eMh8XLvU6OX+A@mail.gmail.com> <92D9824F-82C2-440F-807F-7B4799DCF1B6@deployingradius.com> <CAOgPGoAd3CcaqPYd0aYXBDtCmv32T8hpGH+6ysEn7Pi9M+FSiw@mail.gmail.com> <4698EFD4-83B5-4B77-93E8-0E12FE8BC2DD@vigilsec.com> <CABXxEz-Jzfd4_8=bx8DquchkQVj8Hf07m0U8tYWO9-rFtBjqBw@mail.gmail.com> <CABXxEz9th6-JOgHKqEC5W7XQoi3NKUN3_8F3O_14k6nAdwmgRQ@mail.gmail.com>
To: Oleg Pekar <oleg.pekar.2017@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/rKPtQZ6XcADDWDE_g2dflOtFx9g>
Subject: Re: [Emu] EAP-TLS 1.3 Section 2.2 text
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 12:58:40 -0000

On May 19, 2021, at 8:37 AM, Oleg Pekar <oleg.pekar.2017@gmail.com> wrote:
> After thinking a bit more about it - for the sake of the client implementation clarity, would it be better if we provide the strict algorithm for server identity check or maybe reference RFC 6125.

  Given the time frame and what we know, I think the existing text is OK.

  This is what wpa_supplicant does in it's implementation, and it seems to work fine.  Apple appears to do the same thing:

https://opensource.apple.com/source/eap8021x/eap8021x-264.30.3/EAP8021X.fproj/EAPTLSUtil.c.auto.html

  Look for "trusted_server_names", which leads to:

https://opensource.apple.com/source/eap8021x/eap8021x-156/EAP8021X.fproj/EAPTLSUtil.c

server_name_matches_server_names()

  Which checks if the name from the cert is an exact match for one of the "trusted_server_names", or contains "*." followed by a suffix which is one of the trusted server names.

  I think it's past the time where this document can ask supplicants to change their behavior.  We know what the supplicants do, it's not wrong, and it seems to work.  So let's document that, and move on.

  Alan DeKok.