IETF Logo Mail Archive

Re: [Emu] WG last call for draft-ietf-emu-tls-eap-types ?

Alexander Clouter <alex+ietf@coremem.com> Thu, 22 September 2022 08:34 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1649C15258F for <emu@ietfa.amsl.com>; Thu, 22 Sep 2022 01:34:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b=dIkZtw+A; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qgoQvsP+
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAsLo0D7TCeP for <emu@ietfa.amsl.com>; Thu, 22 Sep 2022 01:34:13 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3897FC15258C for <emu@ietf.org>; Thu, 22 Sep 2022 01:34:13 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 118725C00E6; Thu, 22 Sep 2022 04:34:12 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute4.internal (MEProxy); Thu, 22 Sep 2022 04:34:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1663835652; x=1663922052; bh=7GCMJ6Y79o Rte5EALjZkZC5IOWZUcFxp67YNVul7yvw=; b=dIkZtw+AMfZ//ufNSUZMCIDbZe Wrhw78Ep4/r+s7iz7X4Pw+X83c9nkuDS+IOIpJWEL+p5LPPnBBL58A4HKzQmcH+p ikFPgOEAQDLqkpb4i7tHnKFMi/stn9WMkpK4MaDwZD8OlcSMa7b0Odo6nJ7SRIVa /R49/ba8rH2V/OM/pW5pbjaJa4LOAdhKEY4eP6GGlYdyue5hKNnMzV2Gqt88C4el 9s5J95cfQW0ab/FpghoOj3yd8IEctNC7lm97oZTrYh+BIFRqZmvIVLBq0ntVhf/a XNM1nF8FYYMZUvonid6qLIGV41f9Ed4QF+fJwTE6MuMzIzoyWl/DhF7HT+CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1663835652; x=1663922052; bh=7GCMJ6Y79oRte5EALjZkZC5IOWZU cFxp67YNVul7yvw=; b=qgoQvsP+X31Mf2sTUiPVkmE0QjudBntZaFaOqwBBJaZC joM5PN5pHpyfW4meGS0P18nZMn//LVgWYZJBUoxzZoHaold/uNre70TsTe2daVH1 tcLPzINSFxIvw6L+D/CvqlKUTcKRL4lNRWDkVcsdbnKwESy3plYdi4hFMC+CwPwD h9a3G8VMYxALwkuoDdbbkZKN8pXpNsMLfmSvJo1vJtuwMqb+pz8hnxpdM2h2sO+b CWiGeu1jDrhLYtt8k52ZRY28tnf9xBFQSpIlHiYUqE2oWM4h/Q5/s3CRsT7KNMxB DFEtRpd5KxGyC4CwGUpRQA5iL5GOYjNap/7d8xDNdA==
X-ME-Sender: <xms:Ax4sYwHaPN78zTGqcYBKAU3HdTX55eMLpKEgkiBGutQJkW20OHaOfA> <xme:Ax4sY5XUp2qpFPNuKzLDlmmMVchgjHYpcp7ugsUohQBOQ2gEanSdximM5cb6td5D0 SN3GcbfLJQgVl6esw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeeffedgtdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedftehl vgigrghnuggvrhcuvehlohhuthgvrhdfuceorghlvgigodhivghtfhestghorhgvmhgvmh drtghomheqnecuggftrfgrthhtvghrnhepveegheejueevkeevvdfhheeuudefheegudeu tdelleeiteehgeffieettddugfdunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomheprghlvgigodhivghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:Ax4sY6K5L1nWYSr51Z21LKhqoshfZX1QoBRpQ4mQgUvOuGiKDSPlCg> <xmx:Ax4sYyECVbybWi_9rk9mYhzbk2Od1TgvizJutdWk15z8HtJ8Oj2jHw> <xmx:Ax4sY2VSy2CWCPv_xuyZAQtTglwF-0VxKKqVEZWeoZ1M7j0tddkkYw> <xmx:BB4sYxAl-LBfx6L7fFMss3l8YjKTnwUrPT0YShnrE2P9DuyQAH9LQw>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B4F5B2A20080; Thu, 22 Sep 2022 04:34:11 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-935-ge4ccd4c47b-fm-20220914.001-ge4ccd4c4
Mime-Version: 1.0
Message-Id: <2fe78705-a113-4f65-9c6c-95a2f99dbf98@www.fastmail.com>
In-Reply-To: <6F86A929-F41A-4C76-8568-8C1DABB0CDEF@deployingradius.com>
References: <325659CB-E36E-4D18-A59C-B5EA54324201@deployingradius.com> <CAOgPGoAYTe0qtFbJhq7S71FpX+k+1=0Gqqq+pwa+1QnBnQ3wrw@mail.gmail.com> <94154D9C-F880-42DB-B881-38B04F76E196@deployingradius.com> <CAOgPGoBF_8y40oynqQd9rr9PKEy1qNoNae3zMwA+7f7rKN+SUg@mail.gmail.com> <20220910075838.57qeco3egljt7pwp@aineko.digriz.org.uk> <6F86A929-F41A-4C76-8568-8C1DABB0CDEF@deployingradius.com>
Date: Thu, 22 Sep 2022 09:33:49 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: EMU WG <emu@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/uGxckobuhfTlLf3wZAsd4PE8KkU>
Subject: Re: [Emu] WG last call for draft-ietf-emu-tls-eap-types ?
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2022 08:34:18 -0000

Hello,

On Tue, 20 Sep 2022, at 20:50, Alan DeKok wrote:
>
>> Section 2.2 - TEAP
>> ------------------
>> I do not think changing the language for the definition of the MAC used for the Compound MAC was necessary.
>
>   I don't see if changing the definition that much,  There's just a 
> reference to the previous section, which was changed.  That definition 
> was just changed to use TLS-Exporter() instead of TLS-PRF().
>
>   Are there any other changes which need highlighting (or fixing) ?

I got (probably needlessly) hung up on the wording "The TEAP Compound MAC defined in RFC7170 Section 5.3 is updated..." when nothing has changed there other than MAC.

Maybe: "The TEAP Compound MAC defined in [RFC7170] Section 5.3 remains but the message authentication code (MAC) for TLS 1.3 is computed with the HMAC algorithm negotiated for HKDF in the key schedule, as per section 7.1 of RFC 8446.  That is, the MAC used is the MAC derived from the TLS handshake."

I don't think CMK/Compound-MAC needs to be included here, though maybe arguably as most of the definitions at this point have been included, you may as well include the rest for completeness.

>> If any wording changes need to be made, maybe to be more explicit in stating "the MAC from the handshake" or "cipher_suite from RFC8446 section 4.1.3"? I find the existing "section 7.1 of RFC 8446" wording unusable to someone trying to answer "what am I actually meant to do here?"
>
>   Do you have explicit text to suggest?

I think your "That is, the MAC used is the MAC derived from the TLS handshake." covers this, thanks.

Cheers

v2.23.0 | Report a Bug | By Email