Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-types-09.txt
John Mattsson <john.mattsson@ericsson.com> Sat, 29 October 2022 11:47 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DF3C14F722 for <emu@ietfa.amsl.com>; Sat, 29 Oct 2022 04:47:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.678
X-Spam-Level:
X-Spam-Status: No, score=-2.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGhLwWSL0GUx for <emu@ietfa.amsl.com>; Sat, 29 Oct 2022 04:47:00 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50A87C14CF04 for <emu@ietf.org>; Sat, 29 Oct 2022 04:46:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SIvvC2s079RthPlpROvc1r9XKhBS8KLEtuEj38ml+V6ckrfmtFnBF9FB1PjDKSqwKp+iGyYU1WBX62iJccBmj43AspRzsjEDY7f9ct0weQgA52HLGx30UOraff1sXrLed0ZgkYCYpko4nRqSxvwKjnZweCHOeCgIDjNy07BrJI4Dh0XOho57PYR2TDLkx34DiisNF2nTzEaMg1Q08M4W2ZRiyp7o475CjdsuWoXHUhi1rncmVllbbBPrthykiLJkBuVoe2c794ji/Tn/+z2g/SDTxPVDd3vuH2+vTZU7cfcWKwxhMWVDYAqEo/X8u8qvDn5KzZ4mp+yNXzVvzUbRag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=f86btUDGkDDmISx7oQsYWLwb/VwSTO4Kh4TDTvtVlDY=; b=ZpU5EhCrnrY3kt3hObdaG3luYenm2mLHNHBRiV54Bqa2Skuz2oTa5aqzf1g+S1ts7OEPirisoboFQxxhN0kvU+ZEJdxiASS/SVT4+97Ovyn6HbEsRLOZ2p1YwvsM5fVDQFijo9vx90yWd5hQuJomPexrc2k6rc7F8tVyh5CUgTZT5OaduU5uyhmHJyaB+/DzwsFZj3N7HRNTBzBXn7u4Qkw2F9Yl+XoCyYFpvcbttc+MiVZ/C61o+3y2aUhZj6v0f7MSetwm8r9tsE3FUuBrhvawIBALIIs54SNwQIcE2DNdaA84tDvr6h/66Ta598XXu1F95A+qc2kpukR0mL3waA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f86btUDGkDDmISx7oQsYWLwb/VwSTO4Kh4TDTvtVlDY=; b=gkHVwzF4yZEKtecXchMwss3XaA9cVPRMo4pglfgq6QxepxfxJziXYEHfat4gCLr6qjOR7X1BkScA4RTHvinKE71CSRlOqLmhqogU9wbI35sy1nif8eaXOVz8kN0C5VunaA5i/Dd2VkWM4OAq2il0FWcDCobspc4Udph5S0yKJ7c=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AM7PR07MB6963.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.10; Sat, 29 Oct 2022 11:46:55 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4458:48c2:e76a:4057]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4458:48c2:e76a:4057%6]) with mapi id 15.20.5791.010; Sat, 29 Oct 2022 11:46:55 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Alan DeKok <aland@deployingradius.com>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] I-D Action: draft-ietf-emu-tls-eap-types-09.txt
Thread-Index: AQHY0mxbYWJHZ8MvtEqZnK7+dSX27K4kDzbkgAARzwCAAUsZMw==
Date: Sat, 29 Oct 2022 11:46:54 +0000
Message-ID: <HE1PR0701MB3050E350E6C3A2A291AE331789359@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <166428153120.54333.17278955597896126770@ietfa.amsl.com> <HE1PR0701MB3050362A7979C272F7E285E989329@HE1PR0701MB3050.eurprd07.prod.outlook.com> <794E0C93-3068-4C2C-98B8-AE551D48AC00@deployingradius.com>
In-Reply-To: <794E0C93-3068-4C2C-98B8-AE551D48AC00@deployingradius.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|AM7PR07MB6963:EE_
x-ms-office365-filtering-correlation-id: 98995310-a35a-46be-83a7-08dab9a34712
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8CDRmTrKDbftqEjSETjiBp2+CdOzw2PBxDdsRYvTeIcPL7u+3a6VWZ5/yZtfUv/ihmoWI1J3D/gIiSQvBB9K3BhX7Des2zzkeGWwbvuXmeHvETJ3Lt1BjDCAAxkujiAEYW6Na8iU+CsbKxyzIuXs/E6GTl5kkdc60X21QOp5WQGwHVXE+m8ZGc+D8IcBupBbypnsTR/KEEQTc4x1+G9L3JDEMDFLZ2m7sj+0GSnzcNW0/t2Y4tzB2GktPRs3rLTeXfyd2X+GCfxpddcaOsXBKVmkVCOSMFab3k6Xy2xPgJfI6fbRCDfOCWysh6147qMDqpdAmDNlYZO+Ld2G8QBRw8OxM6q8eXML1xb+AWVyAknOOBRhY+MYJ3DcMmdnzpL81WgJE27m0yUS6jbXDvoWUHmeB6MyL1qZPof3OnH/2qQ4I0njR7mvHomye0p8Hh8eaUtMjO9UOTu+BrNSduKh/tAviDKBoXDnvJIa+OtELzKYdvK/zeryyCQUOc6baLD9Tuf/851P+MXSiSHkEvlJIWG19qd2BM8NUK5ZsqYBVeJD6XGpQvrRl0JBwZ4ZvChHpbZUgQVQwRasav8TKKLoWTDXoxZIrd/D2t4UbmcF/k/zPQ4OH48+UIgghF93Wajg9QvxHExXjnjeWfZfR5PFPVmPKPsSZpk/RLgE2UbiCOdFG0a9Y3F97uZoQTms8VyVH2lqjEn+l5qScd3Rige7KVnQnFc0a27K21F+feS+VIqTz9rRZ03lHGIi+mX1kkaqHcJb6lmMl+c3XswPOiD23aXBo4FyLvI5380yUGSjhmHzWiKjHvL/b5wwp8tLO7KUVWXuwMxLHZjcLtpHE0gJmk8DZIUfigdnvcuUIrYgPhsfUxj/i25JvMEhxMi/tZTm
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(376002)(346002)(136003)(396003)(39860400002)(366004)(451199015)(86362001)(38100700002)(2906002)(166002)(82960400001)(110136005)(83380400001)(122000001)(186003)(33656002)(44832011)(38070700005)(8676002)(5660300002)(52536014)(91956017)(66556008)(66476007)(66446008)(64756008)(66946007)(4326008)(76116006)(55016003)(71200400001)(478600001)(966005)(53546011)(316002)(8936002)(41300700001)(9686003)(26005)(45080400002)(7696005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ehCKsyf7RlOcr4KK/8WOUQawh5bHlykdPdSa4uW0QrTQm+LXmRK3MAWIhSJBNSS84RpNanl94uZPi3U62BtluEF5gyRRhrDMN9yoqbNZKRRB58/JPuuBlVztVcM1BE3DI9PDfomAXnaS1L0LlM3Oob/RfNETh+yXUciU3cZkIaUShYExmXWTNlrBv3XRckt/gOEco83qp5f12j9yjyWGSEgFnGb3xke9Zg8MDelq/N+3jOLUtWgxp1DBhuBELxCQ6h0uYKi6Ic2EBoHpgm8pRqgX1CF+Y2H3/VBlydXxst3FE+LNlGLQq1GtV6Df9WvR1imVLoymhe1hnCsQsUaws+s4ONBG7VGsMPQqQEUX1bEcHq+zKTU9doZliI+OmBGaDEbgCLePwX+KdfWn6FrwUbpIntf1CsKgIBBuZcNDZNqjq+eDd7C3rPNCjpdDLuOemRePosLOvbPp7jWSXCUHxyeGcWPNYWFAlJCvVPcg3NRMGQAY1CR2cYwvDaBpV1e+SkdY5WbjuzO1IPxH6lf0820ZIdQMZl647BEYExycG80cOkeu4yZIxWF9PgmJ39bJg9NDY2UgJOHLV371g97/ZUgQ+l28QS3qGAlirLSQG9GgOso6xrNyq8hqZLn73Do36haOcEGQ4vdumPnV4C2oMvV5a9p4OGB9PbBkKV+rotGj8cmxIMhdt4CK+B0DzYzoWhpENhUUffWFdU5aiZhixsNk9gBh79i9fFMNRT/zjEq+CTOqpSXMvYQzmBgFygMnivCo3v4nFS1RwUp0ZGZVroTKabAqENs0KoHW55Z+vgXEnCQVa4IdzdtcMlJSpi3v6jnH94lqFVm/iGSx4MejnXn/nZlxBVfPT2s1iIXWIE3SrFxRcKNtZi2ZynYuWxTuobnXr8zxIta3eJSl4OncvJlYXGcl9SptyGcUND++zlJh/DbDNTx74ed8GkwJfwxE/1LxSrnh0SDjPS673Q9fxDUIA3VW8V9C48WxsBXSfEX6NFxpW3gfj0M2iGg2xUcd7a9UgiTvH7nRvH/h/iI0gcH0//IWEggVsjD5+OPkyD9vH8efw91h1IpVY1rfxSHeXSsptPLVjlA1ZY/1590k6I5aS8b/9x1gAi90vegkIuBeNK6xYsyBzRx3xdwpxLYSS1J70YOBPC0HypbCc8DMFc/ObhA1aO+afypGsmHFpTYiXOaAJKJ4TLAmwCu2xq8yQhvuKh+rrQ/lAZgRw28AmeErykkNHFjNpSO7uEcjpGyPXZfg/pnmoyhzI2jmpBkZNEhTWRTP8CMWKKjq0rcU4CGIWINsoccL++vuytYpa2IlSqa8Y3cDixZu6ynmWLkiIigrsJh+CsxmPVb0Nm9FcxEU8wOZgrgjXpAFkavNLsRuD6YSVkpVPc5Vlb8tGukMSHcRRifAQEvWn6WL/nAKr9rsCxA6KDXyf5wImDHstSV88EMI/LulSx17P+ghP5B+cSwOL2DNuCXnoBcAI0rIhrywEOv1O0b19ll4GbikJqQ8g7jHPFIEIX8Ime7oxtR77O5ZzEebUZcYoLQ8S5GzDWKmD6A3bYZ1Be6+cBCzlMVJ4YvOrcibFYqXnhFy1zyMRI/tEkzqomQJTDEfHLDB/mt8etd1a1l3+D4yff9yHGU=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050E350E6C3A2A291AE331789359HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 98995310-a35a-46be-83a7-08dab9a34712
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2022 11:46:54.9237 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aNr/MxlHyaxezKPAanzPb96p8TeMtJKG1eOK2dEoM4qhZ2CCzY89vzaXcpXs45IXdw11DMs6Dx2dl+9xDJ6YpKfrAd763vHu5Ybfn6PpQck=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6963
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/snceJL8jdgtGhFiF1md_Suf-9Ks>
Subject: Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-types-09.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2022 11:47:04 -0000
>It's not so much "Microsoft planning" as this was discussed in EMU years ago, and the WG consensus was to stick with SHA-1. I don’t remember any such WG consensus (but maybe I am missing something). What I can find in the mailing list archive is that several people pointed out that moving away from SHA-1 is a good idea, that there is no need to use SHA-1, but that the final decision is Microsoft’s: ”To me it feels strange to force future implementations to continue support of SHA-1 when it is completely removed from TLS 1.3.” ”Realistically, PEAP is a vendor-defined protocol. It is not under the change control of the IETF. If the vendor agrees to this change, then it's possible. Otherwise we're stuck with what we have.” ”Moving away from SHA-1 is a good idea as it will only raise questions moving forward.” ”Rather than locking in another dependency such as SHA256, I wonder if this calculation should also use a hash function derived from the TLS handshake” ”I suggest then that we simply use the TLS-Exporter” https://mailarchive.ietf.org/arch/browse/emu/?gbt=1&index=344mIsmczCfedowJfhVy7WiFq9A >The current code is shipping in multiple servers and supplicants. It cannot realistically be changed at this time. Might be that we are stuck with SHA-1, but irrespectively of why that is the case, I still think that draft-ietf-emu-tls-eap-types should clearly point out the fact that PEAP 1.3 uses SHA-1. I think this is important (and unexpected) information to readers of the document and users of the EAP method. My understanding is that TEAP 1.3 is not using SHA-1. Cheers, John From: Emu <emu-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com> Date: Friday, 28 October 2022 at 17:36 To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> Cc: emu@ietf.org <emu@ietf.org> Subject: Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-types-09.txt On Oct 28, 2022, at 10:49 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: > A small nit: > OLD and tje > NEW and the I'll fix that, thanks. > PEAP and SHA-1: > Looks like Microsoft is planning to stick with SHA-1 for PEAP 1.3 [PEAP-PRF]. I think that is the wrong choice. NIST recently stated that they plan to deprecate and eventually disallow _all_ uses of SHA-1. In the end, this is Microsoft’s choice, but I think the fact that PEAP 1.3 still uses SHA-1 should be mentioned in draft-ietf-emu-tls-eap-types. This is important information for people and industries following requirements to disallow all uses of SHA-1. It's not so much "Microsoft planning" as this was discussed in EMU years ago, and the WG consensus was to stick with SHA-1. The current code is shipping in multiple servers and supplicants. It cannot realistically be changed at this time. If NIST deprecates SHA-1, then we can define PEAP (version n+1), and rely on PEAP version negotiation to fix the issue. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
- [Emu] I-D Action: draft-ietf-emu-tls-eap-types-09… internet-drafts
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… John Mattsson
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… Alan DeKok
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… John Mattsson
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… Alan DeKok
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… John Mattsson
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… Alan DeKok
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… Alexander Clouter
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… Alexander Clouter
- Re: [Emu] I-D Action: draft-ietf-emu-tls-eap-type… Alexander Clouter