IETF Logo Mail Archive

Re: [Emu] RFC7170bis and lack of identities

Joseph Salowey <joe@salowey.net> Tue, 07 February 2023 06:05 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20362C169528 for <emu@ietfa.amsl.com>; Mon, 6 Feb 2023 22:05:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9n2vOzFx7hzE for <emu@ietfa.amsl.com>; Mon, 6 Feb 2023 22:05:04 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEE45C169527 for <emu@ietf.org>; Mon, 6 Feb 2023 22:05:04 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id cf42so20974827lfb.1 for <emu@ietf.org>; Mon, 06 Feb 2023 22:05:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TyFPopmCCluQlfpkk0w3y4XNzMtlOhW8V0wHOCD8bCc=; b=1DpGRXzwfpjrBBr2g5SzlaB5KpCATMaGiHvyifpJE2o7/JEfxvIN/XPZ/JZvYqi4hz ffhuWz6PpYvnoKfpzLr92uI2eRrGEYI9/A5tm59tfq/0h1v4N8H48G3AYHSRgjJm1AJl iIHPSJGR3WBlCDD15nuPFXRCTG1Z8CPXsqxafaTDvTi3Wkir7o1yxWBM32rrw4UaMcol MFIN8anRPQd2ZCxnuSIFFnAXf46bt3KCRKiBtFy655RLF4Asi2ZEIpqfQjTCf/px2RK9 Cz5b+RnW9mePHkxVuc/lFCJbHNhws8tb5ndHmKF6tk8v3gaeOXV125+wbp9bJPu9BAGm T7Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TyFPopmCCluQlfpkk0w3y4XNzMtlOhW8V0wHOCD8bCc=; b=Pal/vsn7LS+s6JtiPfTJ+INMYmW1JnKxOuYTEJPdpg5Dr/4tm6a+wM9/4Ki3NMceg0 Gy69vlFVIYMl7+FzXTgja8/got/oneuKKUXrMIivxLG7xpV5UvBjZqYTQVy9moGKyqzx AsYmThfVVg7yWIoEX34MVwT4tWlsPX9ja/xnLrJDDYx1UMLCfUehbwRkgsxNBXRUKpd+ FORCsGL5spl/9k+qEd8TJhLZ2k/PQ/WbFLXLBIPY3R/x1inCK9OwU9iSl0lO7WW54EA7 tY0pmpDM+UnsbTkdiQcSPhTpn32p2EvHYiVVRs8S4MP6pwvg3DeUXwxwYiRw16X+ZaNi /CnQ==
X-Gm-Message-State: AO0yUKWnwHIa4kFCXphuPv8JR55Ib9VFWBN/0An5p5q1/YDHtIAtx0rw fqsJ2lb2G735qn8q+7NSqvq5zk4gQopW7uqh31HpSiyxJg1etw==
X-Google-Smtp-Source: AK7set+mQt/Nn96MACl8lOrjRQR2BJBMBweBZtBBRvw+jZ57tcfqgl55+TPpKmKtTcIm6kmkfjfxoI6DImmw1OjLYhI=
X-Received: by 2002:ac2:546e:0:b0:4cc:9d69:4703 with SMTP id e14-20020ac2546e000000b004cc9d694703mr283043lfn.110.1675749902535; Mon, 06 Feb 2023 22:05:02 -0800 (PST)
MIME-Version: 1.0
References: <972E80E4-CB18-4154-A407-5BC04D2677FE@deployingradius.com> <45426003-4eb9-9c31-d66b-3d2b51896bcb@lear.ch> <FFFD2F98-2E7F-4603-9B85-E6C80ACE0799@deployingradius.com> <1165a702-ee9e-4269-8af1-0406eb798de0@app.fastmail.com> <E7F39732-D012-4D2A-A34F-44965763C808@deployingradius.com>
In-Reply-To: <E7F39732-D012-4D2A-A34F-44965763C808@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 06 Feb 2023 22:04:50 -0800
Message-ID: <CAOgPGoBmKQZde=dEmJjD-BMJSyGJ2jiotDSEOtGWQ4RkNNnU6g@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Alexander Clouter <alex+ietf@coremem.com>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac64b705f415ed3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/xJdwsSZAKRRXWery6LAuzPPggTg>
Subject: Re: [Emu] RFC7170bis and lack of identities
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 06:05:07 -0000

On Thu, Feb 2, 2023 at 11:17 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Feb 2, 2023, at 1:52 PM, Alexander Clouter <alex+ietf@coremem.com>
> wrote:
> >>  I'm not clear how that would happen.  Nothing in the doc discusses
> >> how a client may choose authentication methods.
> >
> > The documentation does not but I did see Appendix C.9 lets the client
> state what it wants to do:
> >
> >
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-03#name-c9-peer-requests-inner-meth
>
>   i.e. the client authenticates in phase 1, via something like a client
> cert.
>
>   That flow does look a little odd to me:
>
> EAP-Response/
>   EAP-Type=TEAP, V=1
>   [TLS certificate,]
>    TLS client_key_exchange,
>   [TLS certificate_verify,]
>    TLS change_cipher_spec,
>    TLS finished ->
>                           <- EAP-Request/
>                           EAP-Type=TEAP, V=1
>                           (TLS change_cipher_spec,
>                            TLS finished,
>                            Crypto-Binding TLV (Request),
>                             Result TLV (Success))
>
>
>   So... the first set of data in the tunnel is Crypto-Binding?  Hmm..
>
>   I'll have to test that to see if it works.
>
>
[Joe]  The intent here was that the client authenticated using a
certificate during the TLS handshake and that the server viewed this as
sufficient to meet the authentication requirements, but the client requires
another method to be executed so it uses the request action frame to start
up a new exchange.   Example C4 shows TLS client authentication with
renegotiation, but it seems a bit weird to me in that it is client
initiated in response to a server EAP-IDentity Request.

Did you find out if any of this is supported?

> Using the Identity-Hint TLV to steer the server so at least it knows if
> it is machine or a user authentication coming its way is useful. Some if
> not most sites should find this good enough for them.
> >
> > Though if you are proposing this to be optional, why not define another
> new TLV the client MAY send with Identity-Hint TLV that takes the place of
> the EAP-Identity response for only when it wants to go and do
> Basic-Password-Auth.
>
>   I think it would just need Identity-Hint?
>
> Identity-Hint "bob" -->
>
>                 <-- Basic-Password-Auth-Req
>
> Basic-Password-Auth-Resp  "bob" password "hello" -->
>
> > To trim a round trip, you could add language on for servers supporting
> this MAY wish to treat this as a username if the server would only send a
> Basic-Password-Auth-Req asking for the same information anyway...to trim a
> round trip.
> >
> > I'm unable to think of a time why you would respond to a username
> request differently for an inner method, so it should be safe...mostly.
>
>   Different authentication types required for user / machine auth?
> Password for users, and EAP-TLS for machines?
>
>   For me it's also partly about not forbidding certain work flows.  Right
> now, "select auth based on identity" is either impossible, or requires
> extra "oopsie" packet exchanges.  That doesn't seem right.
>
>
[Joe] Although this seems OK, I'd rather be removing things than adding
things. I think we should make sure that the working group wants this.


>   Alan DeKok.
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email