IETF Logo Mail Archive

Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt

Alexander Clouter <alex+ietf@coremem.com> Mon, 04 March 2024 10:07 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41CE1C14F6B3 for <emu@ietfa.amsl.com>; Mon, 4 Mar 2024 02:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="r63NU7j7"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="G0yD+LoA"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BwEe3fuvnoeq for <emu@ietfa.amsl.com>; Mon, 4 Mar 2024 02:07:00 -0800 (PST)
Received: from wfhigh1-smtp.messagingengine.com (wfhigh1-smtp.messagingengine.com [64.147.123.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F196C14F602 for <emu@ietf.org>; Mon, 4 Mar 2024 02:07:00 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfhigh.west.internal (Postfix) with ESMTP id C64B0180009C for <emu@ietf.org>; Mon, 4 Mar 2024 05:06:55 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Mon, 04 Mar 2024 05:06:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1709546815; x=1709633215; bh=e1dWMPdRx4 Q9uPBCYG57WsJE1995ZNdlPMzGgp0CwFE=; b=r63NU7j7efKVWywf2fkraJNrtf 4+wUB/o66brVGdYv0Q1XnqrWHTdpWlHf3tfZEy7Fv7eF4tdbisbO70vHjVNp9y6r +56jbBGBnT7XSLx+HZONNbek0BvOU9mwWOvSWhPJH2uwKhK+uarSoH9I+hRBPNOy JABykFN1mj+Z4u4PR2IZK5Pj7mEogrbUpUdGqM23GsZD5l8mSASLrvWqOf1aOvQ2 znaCZIjyqiJ+eXexA2mNUOYMs5pclpEY7NJt+j7rMYEK4/FCVBsGbCu0GC2Gj2rc zTFSlfQce45qlrkIh0Y3PDZNDnx2Lg+DblnXZDhnJWPOfD4ZuYuBy0KqLomw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1709546815; x=1709633215; bh=e1dWMPdRx4Q9uPBCYG57WsJE1995 ZNdlPMzGgp0CwFE=; b=G0yD+LoAqT6vNwMjwHr5x+AvVW1vvCKCZZ9BTHwPVT2j dBuoI0z6rR96aSHa4PmRbgV4in/BQmRQn/pOUI14+j21VV4ZhjuivJ4h3pl0geIl 6xXOh6Fnw/q0SU9dlWkWhvHPs9zsdAJVKb2LALhFn9ksrot0ZJYyRXxcoU5TfWJ0 6MFOgzm7sTPUH8Qz/h3FhH2HZia9ppvzntmXb2OMjfeQfcthjDT96YiJo61cv1EE RPHwDBrQH66oNjCLa2+icyhWSlUuOp/aXfqunbgMpUYjtvKb/WQ0+Q45T1Enm7r7 idKnx11Ns82qMyXeWXii/v1+ATgKpH54fpUEVCbHkg==
X-ME-Sender: <xms:P53lZWbr965rJF8bAwE9gbUXQcy8Bph2UtWeZWVhAvSkqN65wkLQ1g> <xme:P53lZZb6CvtxAAouVPm77xBlJhM1KTcajUZvYgvvo5NiowzCMbg4oDb8v7g-xWH2U 3SAshrZK5jCvg9kQA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrheejgdduudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedvteejhf ehgfegleeuleefteeikefgvefhheekheevvdekueefkeeiieffhfdvgeenucevlhhushht vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgidoihgvthhfse gtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:P53lZQ_Od84GjCwMS9Bcew2qgSct94cWMxlXrvVZnxp8F-O9GYu5cQ> <xmx:P53lZYqi28jop8mmbKybz-StjVQANX77PToi5ZOEDBxKCOoUXu1hTQ> <xmx:P53lZRr1B5l6XIX1lhKX8_Xe7ypi4Ek_pR09EVf50G8-yOnI4R62LQ> <xmx:P53lZQT-5EdsUKffUZNP5qVlCKTK--D-p3yhG-8l8JqO-6lNuHQjDZEBMjU>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0D0512A2008B; Mon, 4 Mar 2024 05:06:54 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-205-g4dbcac4545-fm-20240301.001-g4dbcac45
MIME-Version: 1.0
Message-Id: <19d725e9-586d-4f37-855a-dca2c5c04998@app.fastmail.com>
In-Reply-To: <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de>
References: <170932527085.22824.18343512124707075119@ietfa.amsl.com> <66bca1b2-4b2d-429d-8f85-5c76d29005ad@dfn.de>
Date: Mon, 04 Mar 2024 10:06:34 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: EMU WG <emu@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/wZVxZp7GjRY9O4ydz0qsPFFvMm0>
Subject: Re: [Emu] New Version Notification for draft-janfred-eap-fido-02.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 10:07:05 -0000

On Fri, 1 Mar 2024, at 21:08, Jan-Frederik Rieckers wrote:
> I just posted a new version of the EAP-FIDO draft.
>
> [snipped]
>
> Comments are welcome, as always.

Trying to understand the need for 'Credentials IDs (PKIDs) in the authentication request.

My thinking here is "I miss my EAP Identity request", which may be completely mis-placed, but considering the payloads of an authentication request and information request it looks really close to a plain EAP Identity exchange.

The reasoning the document provides is:

authentication request:
-----------------------
"A list of acceptable Credential IDs. This can be used to trigger a re-authentication of a specific credential or to provide a list of the Credential IDs for a *specific user* [my emphasis], if Server-Side Credentials are used"

"can include authentication requirements, additional client data and a list of Credential IDs"

information request: 
--------------------
"If a client does not have sufficient information to perform the FIDO authentication, the client can send an information request message to the server.This is the case if Server-Side Credentials are used, since the FIDO Authenticator needs the list of acceptable Credential IDs to access the actual credentials on the FIDO Authenticator."

Why not just *always* send the list of PKIDs? How is this list formed by a server *before* it  knows the user identity? Is a possible that the anon identify from Phase 1 is enough to perform this?

I am trying to reconcile these two descriptions and the closest I can get is it seems in practice PKIDs can only be offered by the server after seeing the identity?

By introducing EAP Identity an implementer would be more easily able to proxy the inner FIDO authentication but the downside of this is it would bring in an extra round trip as the server still has to send after the EAP Identity response "now do FIDO" and the client cannot initiate this.

On a related note, as a passing thought though I am not sure how this could work, opportunistically could the client make use of the SubjectAltName from the outer TLS jacket of Phase 1 to infer a suitable PKID and avoid needing to make an 'information' round trip? If the server side thinks the peer has picked incorrectly, that is when it responses with the list of PKIDs as it now also knows the peer's identity.

Cheers

v2.23.0 | Report a Bug | By Email