Re: [Emu] EAP-TLS 1.3 - few more comments

John Mattsson <john.mattsson@ericsson.com> Tue, 08 June 2021 13:10 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F24D3A305C for <emu@ietfa.amsl.com>; Tue, 8 Jun 2021 06:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbRTPmwrE5Sw for <emu@ietfa.amsl.com>; Tue, 8 Jun 2021 06:10:13 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50068.outbound.protection.outlook.com [40.107.5.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAFC93A3058 for <emu@ietf.org>; Tue, 8 Jun 2021 06:10:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B1WichoKTqms8B5QdrKd7Qz39naaNILx6Chx3FTQcqa1hZBs+wuNuELs8alNB7cHzyMpvIKrljSWypypzyAFe3M3vWZECpJTJM+TdjDTbY82dE1VQ4UXvQmjBY025zYEDfCrwCMuUq3LXdVxSaFRDik8qM3XrnrUi0ghYIPINJPsZi8ajRAFum9NRKZxTW4trtTFQbvJkzwDWSaYUPBCF0UDWpYYo4g53l3+b3xlolnz7vJ21Yo326L7818siSRJWE199tmsASjjrKwxwocRnj4q0beJPy2nFxpqFfeiseVUw5JzCBBNNXBe1U7n8CpOqkiXCEJHhT/owgwFNbjvCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0d8iE5qp9hWU8kOY9Jx1ZoFBV0WhN5ejMDo94b/kxOA=; b=EoTr8dc4Mk6tk39XS6XBuMLCkr7JlViqdgswxOytNwL7niS79FsLnuvTigv/b22PTyxiL8IBdbhZe8Z2PZBB0OD+Efn2by7ny4ianwCS82bEMkU0kLFq8XDdIj4VNJFOYN/f4Jq/kJ2vemvJC2QWZpynCC/1m+wnDyWq6l9JSGvJGaXhgMZrcFBiwEwNkULlA7jmpn+Ya8yEDeH3Y9JxlgvoC1D1PbMKsaW9h6PD9bA67OVRVelR1SKARGNERgtohuqZy2z//Nov/e+WY3CeH4pxJIFbqdq9Mwph/lfZofer2S7Av+Da4wlIvqYb9l2Ztptf4Yzsg6fqfC2FpX23gQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0d8iE5qp9hWU8kOY9Jx1ZoFBV0WhN5ejMDo94b/kxOA=; b=GoKouW2jdN+viMsUn/kDVe4ETBoKYuwPT+qUvbvn8Cv7IZfRCdP2RJksBW1nSv5SpIKaJRD/E3E9QfWB2ax2/cpZ8u6t6KD8NeiBOqyKRYyd2Rqk9T5p8C+aj6fRT6ds4rjQK7GAoYTrgT7qU9AAI6AT7HynfP0+M2B7yXprM1I=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2089.eurprd07.prod.outlook.com (2603:10a6:3:2a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.17; Tue, 8 Jun 2021 13:10:09 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4219.019; Tue, 8 Jun 2021 13:10:09 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Oleg Pekar <oleg.pekar.2017@gmail.com>, Joseph Salowey <joe@salowey.net>
CC: EMU WG <emu@ietf.org>
Thread-Topic: [Emu] EAP-TLS 1.3 - few more comments
Thread-Index: AQHXSjE5JY5zMeUBHkSbHbhdpTWRZKrmdMEAgAFHgACAIn0VDQ==
Date: Tue, 8 Jun 2021 13:10:08 +0000
Message-ID: <HE1PR0701MB305060C145020043BA9462C589379@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CABXxEz8dechYVv=a+jnLmKNS3S8zuZpY7Hm-VSSj8M4-Df-E6A@mail.gmail.com> <CAOgPGoArRmFfxX9OY6GLK+rWR=qK-VYSHFcdqoXOjqFPGmh-vg@mail.gmail.com>, <CABXxEz8=mbZh-=sFbiTxQ+-ho=5x8NOb8ydv5yKvTee4PEmg6w@mail.gmail.com>
In-Reply-To: <CABXxEz8=mbZh-=sFbiTxQ+-ho=5x8NOb8ydv5yKvTee4PEmg6w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: caee8298-6c56-4cf2-770b-08d92a7ebde8
x-ms-traffictypediagnostic: HE1PR0701MB2089:
x-microsoft-antispam-prvs: <HE1PR0701MB2089345C8464FB02B35AC42089379@HE1PR0701MB2089.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cQpmQYjVDQtlw9LzL+Vv1P1GgmgVj+j16W6PX3x7xI2s1VWLP6uAUpTqO7quM2qwMc3mDlqC+TZQCtRqX9USlwihKpEuzLN6wiGCNwt0jfKgFyXxFvPSmS+hIr4taMp60d8jp4MhJ2j4F1v9kVmX2P6RL9AUr6M+lBmRKdTbVBswv00bz+FlzWSQUVRijemr7s8ZoQPatdXVHWs5no4zHUA00yljmfEFRjeRWPHtBqPsnxfXRho+fz+SSTYn20Ioc//4KiAlyFmAkeJlNSzDZ9gUQOk2f8H8gHTWh0kKBEv3g61RXCnFEsePCRHI39dKI2+rU5XG8CKQuiFukWnBYYTs8iJ3lIiXpJ/YOXL9HxRBeHV/LygxrtKANqVKxjb+FcVvhNV/L2A8aN7EtuQDhcDNjbnkNRzNmfiF16h2qpBdWQLABApePQfuRdHA+ffe+o3lChjcFPOzalCrO4K7eDeeL7Akx8DPrmGvmPOifiQVxQJgGrnpI02ZbERdvNBBb2TzAzVpibZcbC1XzzvfJqaSZzaBUnjn1FHabNsMDyDaXRKpQ3p9OQOVI8fsTqP0CDvGe45XGIG4eDbrmwpGo14ZQY5gMZwvut/ucY4nKRh1vmkIzlkCC5f72NpakSbWuAhCCl+VvXdfSWm+AmTIRCbOL2az9gq0qBSyOBQ+vj3hya6Ry8f4b9mQulZP2GXSt1p+fTql85dxlS8W3HFRUTl0G1N910NuU/Fz0y5e1tCz3/Z9yMbyaOXr0Y687rwr
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(396003)(39860400002)(136003)(346002)(366004)(166002)(86362001)(4326008)(33656002)(8676002)(567974003)(66946007)(55016002)(71200400001)(64756008)(66556008)(76116006)(6506007)(53546011)(83380400001)(66476007)(66446008)(316002)(9686003)(186003)(5660300002)(38100700002)(966005)(122000001)(8936002)(110136005)(26005)(2906002)(478600001)(7696005)(44832011)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?WrXXgwM6B71OlKpiJoHxK0vVNMFjcH4HPz7NoqPvAR7NAQjo3AXVf6UH?= =?Windows-1252?Q?N2j12Naugjg9W5hdLHd3mRaqHq+VPrPYEOVh1n0BaGTXauL2xT1yth42?= =?Windows-1252?Q?D2t46zAb2uOle9OwXiTZWMCgHkp4lGBjeil5Y+LxUaGE83e/aGhHuVUk?= =?Windows-1252?Q?Sa+XwVCfD8sAkHaL62fzfe3Zyk4Coycd1W8e+rKWwl5ZUqf/aZsvVc2h?= =?Windows-1252?Q?Sjm44NK2uIQ4PqkXKkC8zGPcZD/2UgS/AzDJXhr9PCynZzn4WR9FZcYO?= =?Windows-1252?Q?HE+AQaNlUu0W14uYaI+oIWhRu3eXqruVwlHznC88qchFRgYRsUsoZM13?= =?Windows-1252?Q?t9tSzl01bw91mBqr6nX2+kTRhVOU76bUIVEArie9C3lzMVKDrIlF+GdH?= =?Windows-1252?Q?2LZKOa+wNmCauAuAiJEbwS1jyahzIhKSJR5w+kT1iqhsDS+Pw1c6yTTt?= =?Windows-1252?Q?3S0yawio6VZg/qIPt9V61kykLrXMwVHpMMIm2R3NTynpGp+nURGwvtNa?= =?Windows-1252?Q?ZfBDhKlbA3q5fm0HvZYP5dO8Gx0WX2eRibdKUxrKD5lOZL9WRVVgiaKJ?= =?Windows-1252?Q?esZ/+h3zC6RW397OwSLp+AQedFAe7fEr9ih301JrasTR6PiyDFNUd51q?= =?Windows-1252?Q?snMLQBGsjMja96Z/jgghgCyMVhmWDHJVfEGWoGAVyIz+41/UCvcCiBNj?= =?Windows-1252?Q?mwgQmo50x0P6c3QLt5E4f4v2uudXaTWCKqCuRyPx6g2C7EgTPf0k67Wj?= =?Windows-1252?Q?cY0uZ8CfNW3V3qdF8cY6z8nKlE8Twz9ImD3BYYgdZUFWoTD18Z9T6Kv5?= =?Windows-1252?Q?PoOt1/ZLfjrBW7Yk/sPMrIutTX5JXZG1KLKh2ysPbPVbnsWb6aJgAi4e?= =?Windows-1252?Q?0kHM0N0LTXOkHHsClABir4pP5RMLZQ+qFAJR1CL1xVBNgpUUdxXEmbp/?= =?Windows-1252?Q?UU4dUJ3M8T4H8TQIVLCC1GVYrQhzdAHBmdNH+r1megn168n9LndYt5LA?= =?Windows-1252?Q?B+tl4kyvRbOow5my9bRhqb+W3NaAJ3xvK8WnU8ih8bAbiqiKfR/ZpO8v?= =?Windows-1252?Q?B0oSAMSSZEFe5RdwyhjpSwa+ogjBYBo6H8ru2d1pz6M2UAL9xnxkGLwF?= =?Windows-1252?Q?Ow/NpZkB/mbALQFQu7ku+d8zNqNvGrN81P9CnJ82eBH+Wr2xK3WlcAGA?= =?Windows-1252?Q?4kEZlan5NUeKgrCLQNonHKPLgfeSpqOg3kY4ivUHwZMAcHPTeWr8zmQ/?= =?Windows-1252?Q?0fwdT35oJeNLInKwSu60DVP+ouugxvzHAfKZ62wW7swjbKAPtKoMeerp?= =?Windows-1252?Q?G5C2RUNQyNUhQ2YCLpfs+IkXQlyZLZtLJ74K4xSzW31cNAeCngKdFK1E?= =?Windows-1252?Q?lY4I8roUw0TE22ThcHHpt0odND+4epJOd8HcV96OFj/wbjEA1U2BGL2a?= =?Windows-1252?Q?zSkuG90ru1pvS/D1lvZ1tw=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB305060C145020043BA9462C589379HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: caee8298-6c56-4cf2-770b-08d92a7ebde8
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 13:10:08.8301 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JdZgxMsuGL83SYHHcO337Y5MhBDeu0Z8ugtndXOsxSvbLwRqmwteRK6wj7Do8ceDVBJKRnR8uFtZ1DDi4IKb+avtxKyX89905WKcwE/XBK4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2089
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/rN_tAOdCXrCBE2uYKEZ4GIEOcYI>
Subject: Re: [Emu] EAP-TLS 1.3 - few more comments
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 13:10:19 -0000

Hi,

I implemented the suggestions below in the following PR. Some of the editorial changes was merged directly to master.
https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/78

I have also implemented all the thing in issue #58 (Alans review) in a PR
https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/58
https://github.com/emu-wg/draft-ietf-emu-eap-tls13/pull/71

The PRs that Joe has approved has been merged into the master branch.

I will go through the mailing list soon and see if there are more comments on the draft.

John

From: Emu <emu-bounces@ietf.org> on behalf of Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Monday, 17 May 2021 at 16:25
To: Joseph Salowey <joe@salowey.net>
Cc: EMU WG <emu@ietf.org>
Subject: Re: [Emu] EAP-TLS 1.3 - few more comments
Thanks Joe, one comment regarding item #16 is inline below.

On Sun, May 16, 2021 at 9:52 PM Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote:
Hi Oleg,

thanks for the review, comments below:

On Sun, May 16, 2021 at 1:55 AM Oleg Pekar <oleg.pekar.2017@gmail.com<mailto:oleg.pekar.2017@gmail.com>> wrote:
Hi, few more comments on the draft #15 https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/15/:

1)

2.1.1.  Authentication

The full handshake in EAP-TLS with TLS 1.3 always
   provide forward secrecy by exchange of ephemeral "key_share"
   extensions in the ClientHello and ServerHello (e.g. containing
   ephemeral ECDHE public keys).

—- comment:
should say “provides”

—————————————————————

2)

2.1.1.  Authentication

After the EAP-TLS server has received an
   empty EAP-Response to the EAP-Request containing the TLS application
   data 0x00, the EAP-TLS server sends EAP-Success.

-- comment:
the phrase “empty EAP-Response” may be confusing. EAP-TLS RFC [RFC 5216] calls such messages as "EAP-Response packet of EAP-Type=EAP-TLS and no data" (Section 2.1.3. Termination, 2.1.5.  Fragmentation). Suggest continue using the old RFC terminology since Figure 1 preserves the same messages names.

—————————————————————

3)

2.1.1.  Authentication

Figure 1: EAP-TLS mutual authentication

-- comment:
"TLS Application Data 0x00)" lacks opening round bracket

—————————————————————

4)

2.1.2.  Ticket Establishment

Figure 2: EAP-TLS ticket establishment

-- comment:
"TLS Application Data 0x00)" lacks opening round bracket

—————————————————————

5)

2.1.3.  Resumption

Figure 3: EAP-TLS resumption

-- comment:
"TLS Application Data 0x00)" lacks opening round bracket

—————————————————————

[Joe] Authors, please address the above nits.

6)

2.1.3.  Resumption

Providing a
   "key_share" and using the "psk_dhe_ke" pre-shared key exchange mode
   is also important in order to limit the impact of a key compromise.
   When using "psk_dhe_ke", TLS 1.3 provides forward secrecy meaning
   that key leakage does not compromise any earlier connections.  It is
   RECOMMMENDED to use "psk_dhe_ke" for resumption.

-- comment:
The recommendation may be interpreted ambiguously. Is it recommended to TLS server to reject EAP-TLS session resumption from EAP-TLS peer and fallback to full handshake when there's no "psk_dhe_ke" extension?

[Joe] SHOULD and RECOMMENDED are a bit ambiguous.  Perhaps this can be replaced by something better:

"psk_dh_ke" MUST be used for resumption unless the deployment has a local requirement to allow configuration of other mechanisms."



—————————————————————

7)

2.1.4.  Termination

In TLS 1.3 [RFC8446], error alerts are not mandatory to send after a
   fatal error condition.  Failure to send TLS Error alerts means that
   the peer or server would have no way of determining what went wrong.
   EAP-TLS 1.3 strengthen this requirement.  Whenever an implementation
   encounters a fatal error condition, it MUST send an appropriate TLS
   Error alert.

-- comment:
It there a way to enforce sending TLS Error alert? Since the conversation is probably failed anyway after the case that requires sending TLS Error alert - there is no real feasible enforcement to be specified. I remember a lot of suffering due to EAP-TLS peers just broke connection with no indication of what was wrong, so admins cannot really reveal the cure for the failed authentication.

[Joe] This section does say that TLS error alerts MUST be sent.  Are you looking for something else?

—————————————————————

8)

2.1.4.  Termination

Figure 6 shows an example message flow where the EAP-TLS server
   authenticates to the EAP-TLS peer successfully, but the EAP-TLS peer
   fails to authenticate to the EAP-TLS server and sends a TLS Error
   alert.

-- comment:
"the EAP-TLS peer fails to authenticate to the EAP-TLS server and sends a TLS Error" - there's an impression from this text that EAP-TLS peers sends a TLS error. However it is EAP-TLS server that does it. Should be clarified. Example of suggestion:

Figure 6 shows an example message flow where the EAP-TLS server
   authenticates to the EAP-TLS peer successfully, but the EAP-TLS peer
   fails to authenticate to the EAP-TLS server and the server sends a TLS Error
   alert.

[Joe] Authors please reword this text to be less ambiguous.

—————————————————————

9)

2.1.5.  No Peer Authentication

-- comment:
Can "TLS CertificateRequest" message still be sent by EAP-TLS server? Should EAP-TLS peer silently discard it or reject the connection in case it is sent but EAP-TLS peer doesn't own a credentials to authenticate?

[Joe] I think this is covered by TLS behavior.  I don't think we need to describe it further here.  The peer includes the certificate or not according to its policy and the server applies it policy accordingly.

—————————————————————

10)

2.1.5.  No Peer Authentication

Figure 7: EAP-TLS without peer authentication

-- comment:
"TLS Application Data 0x00)" lacks opening round bracket

—————————————————————

11)

2.1.6.  Hello Retry Request

Figure 8: EAP-TLS with Hello Retry Request

-- comment:
"TLS Application Data 0x00)" lacks opening round bracket

[Joe] authors please address these nits.

—————————————————————

12)

2.2.  Identity Verification

EAP peer implementations SHOULD
   allow users to configuring a unique trust root (CA certificate) and a
   server name to authenticate the server certificate and match the
   subjectAlternativeName (SAN) extension in the server certificate with
   the configured server name.

-- comment:
What is the configured server name? Do the supplicants that play EAP-TLS peer role usually have such configuration?

—————————————————————

13)

2.2.  Identity Verification

If
   server name matching is not used, then peers may end up trusting
   servers for EAP authentication that are not intended to be EAP
   servers for the network.

--comment:
What is meant by "EAP server for the network"?

[Joe] Please see the separate thread on this section 2.2. I'd rather have the discussion there.

—————————————————————

14)

2.4.  Parameter Negotiation and Compliance Requirements

While EAP-TLS does not protect any application data except for the
   Commitment Message, the negotiated cipher suites and algorithms MAY
   be used to secure data as done in other TLS-based EAP methods.

-- comment:
The term "Commitment Message" has never been introduced before in the document so it is confusing to see it in the middle section. However this term was used in the previous versions of the draft (last time in version #13).

[Joe] Authors please address this nit.


—————————————————————

15)

5.6.  Authorization

This information can include, but
   is not limited to, information about the authenticator, information
   about the EAP-TLS peer, or information about the protocol layers
   above or below EAP ( port numbers, WiFi
   SSID, etc.).

-- comment:
Suggest adding "...port numbers, SSID and the data previously collected for the EAP-TLS peer". This way we can mention including the data collected via MDM, Posture Validation and other Network Access Control management services into making authorization decision.

[Joe] This list is not meant to be exhaustive.


—————————————————————

16)

5.7.  Resumption

 As suggested in [RFC8446], EAP-TLS peers MUST NOT store resumption
   PSKs or tickets (and associated cached data) for longer than 7 days,
   regardless of the PSK or ticket lifetime.

-- comment:
This sentence repeats exactly the sentence in "2.1.2. Ticket Establishment", just without mentioning the number of seconds in 7 days, suggest removing it.

Reference to the previous occurrence in "2.1.2. Ticket Establishment":
Note that TLS 1.3
   [RFC8446] limits the ticket lifetime to a maximum of 604800 seconds
   (7 days) and EAP-TLS servers MUST respect this upper limit when
   issuing tickets.

[Joe] THese two sections are actually slightly different.  One is from the server point of view and the other is from the client point of view.  Perhaps both of these should be left to the TLS spec.


[Oleg] Got it. Then maybe it is worth specifying 604800 seconds in the section "5.7.  Resumption" also so it will be clear that the requirement in this section is the same strict as in "2.1.2. Ticket Establishment".

—————————————————————

17)

5.4.  Certificate Revocation

It is RECOMMENDED that EAP-TLS peers
   and EAP-TLS servers use OCSP stapling for verifying the status of the
   EAP-TLS server's certificate chain.

-- comment:
Suggest mentioning OCSP Stapling RFC 6961 here.

[Joe]  TLS 1.3 deprecates RFC 6961

—————————————————————

18)

6.1.  Normative References

-- comment:
Suggest adding OCSP Stapling RFC to the list of references:

[RFC6961] The Transport Layer Security (TLS) Multiple Certificate Status Request Extension

[Joe]  TLS 1.3 deprecates RFC 6961

—————————————————————
Regards,
Oleg