Re: [Emu] Murray Kucherawy's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)
"Murray S. Kucherawy" <superuser@gmail.com> Thu, 16 February 2023 15:14 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E887C19E110; Thu, 16 Feb 2023 07:14:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvZkqs97dnD1; Thu, 16 Feb 2023 07:14:56 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58853C1879B6; Thu, 16 Feb 2023 07:14:56 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id c1so4078364edt.4; Thu, 16 Feb 2023 07:14:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=865uvsP14Hwcb7Lq0ihYWiEt6r40yDOVywILE8LMkc4=; b=HKzJf0k7q9gyvISF+giiclq/adaxsoW4z8huHPfD2pv5Yhh2/S/bEsOxUWTBaZvioV pNCCEaY28KsVWICw15gZCnbSxrnfAIbAfuwIAHmyHyK1VWDSzOTHHfBah0b/1oUxboow 616zIJBmUooJfKEGeEKi8ZnlG+I0B1dUaQqGmcsqL1Q0vHSFK1C5mwAhMU76fvSebiOs we29X0auUib+rQBtyfbb7MgKEW66mB7BSoJhIWEqQ2cIJ7LCWfOdObQ+oCzad/+ucdfM 3vbtHPN7FK1/0i2trhCcFz+w7MvjifzgIKR927CqKlwdSyrzc0AnoA4tyGeHa0xY27Ms op+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=865uvsP14Hwcb7Lq0ihYWiEt6r40yDOVywILE8LMkc4=; b=CguADDabWdO1rIAPaDqf1/71dbgxbBM/kxB9pQ0Jvhy9sSTupam6U35q/x4nZ2cmmW cFV/VzJhrMYnb9jTNiT5AD8yem2sBm7gTsO0zm2qv4/xDmpvAClE2hg/2L88URYcWIiU K+1QY6gyr4KZIMgiOpHiD1JY0xn0t8Hmk9veE2WSs2yYHYjLLExGLkXlzhSmCE0YqEeO ewfeu4U5/07J8xNqsZFMwxGWViV/RjzB0fthEy45TjPv1lh8NnzFVv1XhQAKBGGZBWAu LIfcY99K1Khq4AgnK/cyYnFX/+pleLJGIzWdk+TrWN8BAXsfPndhfXDk4um3h6QVj5W6 bwmA==
X-Gm-Message-State: AO0yUKVkCjsVjjZ5zC3fJHe7BJkluKstE4CV/uCf2WZWmF+Jdd7GbhYk Wfp7tZGGGdNKRYaOmmgGKSnel6WvUHkTocWAEdYJzkxc
X-Google-Smtp-Source: AK7set/Wu9xqU9WiIABaLUcvcsWzYCGHuI9o64X3mFNpJCOIDtPimrr9ZuRVtFQ5Yruv20GYs7CR7rXzx8nTOOFznnU=
X-Received: by 2002:a17:907:7630:b0:878:b86b:de15 with SMTP id jy16-20020a170907763000b00878b86bde15mr3087374ejc.11.1676560494641; Thu, 16 Feb 2023 07:14:54 -0800 (PST)
MIME-Version: 1.0
References: <167652491813.36764.476349210854644496@ietfa.amsl.com> <43E1546C-8114-44B7-A662-57B8D07F3E01@deployingradius.com>
In-Reply-To: <43E1546C-8114-44B7-A662-57B8D07F3E01@deployingradius.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 16 Feb 2023 07:14:42 -0800
Message-ID: <CAL0qLwYFW_81h-ejOgYtFRbTLJcAoMHmq6eOb26_t9-kKMhK6g@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-emu-tls-eap-types@ietf.org, emu-chairs@ietf.org, emu@ietf.org, jsalowey@gmail.com
Content-Type: multipart/alternative; boundary="000000000000ba474e05f4d2a8d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/rmwtjJACm3Hq9jr6yBJXrDeqCaU>
Subject: Re: [Emu] Murray Kucherawy's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2023 15:14:57 -0000
On Thu, Feb 16, 2023 at 6:20 AM Alan DeKok <aland@deployingradius.com> wrote: > > It is RECOMMENDED that vendor-defined TLS-based EAP methods use the > > above definitions for TLS 1.3. There is no compelling reason to use > > different definitions. > > > > Why isn't this MUST if there's no compelling reason to do otherwise? > > We don't have change control over vendor-defined TLS methods. > You do have control over what's compliant with this specification though. > > In Section 3.1: > > > > In other weds, [...] > > > > I think you meant "words". > > > > The outer identity SHOULD use an anonymous NAI realm. [...] > > > > I suggest you add a sentence or two explaining why an implementer might > > legitimately choose not to do this. > > I'll reference RFC 7542 (NAI), which goes over these issues in detail. > Perhaps: > > The outer identity SHOULD use an anonymous NAI realm, which allows for > both user privacy, and for the EAP session to be routed in an AAA > framework as described in [RFC7542] Section 3. Where NAI realms are > not used, packets will not be routable outside of the local > organization. > Is there any legitimate reason for an implementer to decide to deviate from the SHOULD and still expect to interoperate? The text you're suggesting sounds a lot like a MUST to me. > i.e. follow the recommendation and work with others, or don't follow it > and you're on your own. > So does that. > > This practice is NOT RECOMMENDED. User accounts for an organization > > should be qualified as belonging to that organization, and not to an > > unrelated third party. There is no reason to tie the configuration > > of user systems to public realm routing, that configuration more > > properly belongs in the network. > > > > This formulation is curious; you first give implementers an "out" with > NOT > > RECOMMENDED, and then basically argue that it should be a MUST NOT. I > suggest > > revisiting this pattern anywhere you've used it. If you prefer to keep > it, I > > suggest changing the prose a bit to explain why one might choose to > deviate > > from the advice presented. > > TBH I don't see any valid reasons for deviating from the advice given. > It's more that this document cannot mandate (a) changes from historical > practices defined in previous documents, and (b) what people do in their > own private environment. > > It's really "If you want your systems to work on the Internet, here's > what you do. If you don't care about that, you're on your own. Go figure > it out yourself". > I think this point should be made clear, i.e., that this is only a SHOULD because of backward compatibility with previous documents. In fact, I suggest using "MUST, unless ..." Private environments, I would imagine, are always free to interoperate or not, so I'm not too worried about the (b) case. -MSK
- [Emu] Murray Kucherawy's No Objection on draft-ie… Murray Kucherawy via Datatracker
- Re: [Emu] Murray Kucherawy's No Objection on draf… Alan DeKok
- Re: [Emu] Murray Kucherawy's No Objection on draf… Murray S. Kucherawy
- Re: [Emu] Murray Kucherawy's No Objection on draf… Alan DeKok