IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Joseph Salowey <joe@salowey.net> Mon, 07 October 2019 00:42 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE1CC12013A for <emu@ietfa.amsl.com>; Sun, 6 Oct 2019 17:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xgUmy1J6oISn for <emu@ietfa.amsl.com>; Sun, 6 Oct 2019 17:42:31 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE63D1200CE for <emu@ietf.org>; Sun, 6 Oct 2019 17:42:30 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id h126so11055669qke.10 for <emu@ietf.org>; Sun, 06 Oct 2019 17:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3rxaxdcQVZLM2fQUOjvOjdBpB+WxdJ5jDopVk+FMyag=; b=J3WCgnqyDre7BMEhQeA750fTU7cRR+CogMVbghyVe3VAwu/tFtEDW8wyXl7YqDWao6 i1dZKZLtEzPItI72vGbL3Ruh9HceqhSe/i8WvP0wExYv3P2wthRUOS8FIZgF0F1GIsld Ljxm1xId0DgERESBP7WBTzE7EfFS3LdmcUiAkZn99iL5eXIRrWoPfmX4QAFoWlJNV5al 8/+U2eoKPT6owFhVro3ip8l7fB3xtbHu++x6d6BJ2NKlquj4oeoGxdikZHIOXvY+3DhR RQF96HyAO42YdTlnT840DLrDz8l9Jg4V2UVdtaDsyAIUXAilyR8h6aOLbvz6zDWuvkk+ ttRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3rxaxdcQVZLM2fQUOjvOjdBpB+WxdJ5jDopVk+FMyag=; b=Wyo9SKubRKE//zJj+jedHPFQufq5+WV0NZoJCZxn8hILp0dc96d3jClaOuL4IOfigu C0hjxEiy9olaGU4U1vX8DzQBtnOBjVy31/d9ym0JxBLbmu5L1YWir9xbRPhF2muejSw0 DJtIZ9Hm6w+ckazwWJugyaDNDRJ5lspUwCdTkk+6LlNzoR6QDrlwZ+KvDlLQovA4/OYj caKtBPIgafhAA/Z5MkjoaTrrktpLOJHGQDFX8XuUxcBLfltanVq0+ZKB0XYw9D3sS4DH ANUkGY0D1kIWx+MPu+dY953WL6cBOvr/LUG4dwuzMWX1ECv1tamLNwJYFQ+8Bzv1i7h+ BxkQ==
X-Gm-Message-State: APjAAAXvMRWh/qOVhfQD+LBr0Hti6dfZuxA3zvmsIFHR3R1fa6CBlwHM Fl1V3YOR4NZMhSR7J/X9FlQ6IZAl4JASa0LGjo875w==
X-Google-Smtp-Source: APXvYqxcfYG2tJpZ4Z7jJBnsF1BVSN8vwrUVSpqd6as+rhs6nSNu2Y7fblG6fbn64f8FRbKTRYs8bzquljhK6sW5Zr0=
X-Received: by 2002:a37:67c6:: with SMTP id b189mr20626541qkc.472.1570408949788; Sun, 06 Oct 2019 17:42:29 -0700 (PDT)
MIME-Version: 1.0
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com>
In-Reply-To: <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 06 Oct 2019 17:42:18 -0700
Message-ID: <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: Alan DeKok <aland@deployingradius.com>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009ac4f40594475317"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/yaUUtfpy1Sv7jJsr5lJ2QnoczsE>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 00:42:33 -0000

There is a TLS working group draft on importing external PSKs for use with
TLS - https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-01.
This draft can mitigate some of the issues with using external PSKs.

My suggesting is to leave the draft as is and deal with external PSKs as an
update to EAP-TLS 1.3 or as a separate method.

Is the current published version up to date with the rest of the comments?

Thanks,

Joe

On Fri, Sep 20, 2019 at 3:42 AM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi Alan,
>
> I added references to RFC 8446 Section 8.1, and 8.2, and 4.2.11. Agree
> that they are good to point out.
>
> I am not sure about the other suggestions, I am hesitant to discuss
> anything detailed about TLS 1.3 that does not have a specific connection to
> EAP-TLS or are useful for users of EAP-TLS. My feeling is that adding some
> extension, but not other would be even more confusing. The diagrams are
> there to show the message flows, which have a strong connection to the EAP
> state machine. For other details I think implementors have to read RFC 8466.
>
> /John
>
> -----Original Message-----
> From: Alan DeKok <aland@deployingradius.com>
> Date: Wednesday, 18 September 2019 at 15:21
> To: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>,
> EMU WG <emu@ietf.org>
> Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
> Resent from: <alias-bounces@ietf.org>
> Resent to: John Mattsson <john.mattsson@ericsson.com>, <mohit@piuha.net>
> Resent date: Wednesday, 18 September 2019 at 15:21
>
>       Just re-reading the text on PSK, I noticed a few things.  The text
> in Section 2.1.2 talks about PSK, the session ticket, and a "key_share"
> extension.   The accompanying diagram doesn't include any of those.  I
> suggest updating the diagram to include them.
>
>       As a related note, if the PSK *is* in the resumption cache, but the
> key is wrong, the cache entry should not be discarded.  Otherwise an
> attacker can disable caching for *all* users.  This issue could be clearer
> in this document.
>
>       Perhaps it would be useful to add a short note in Section 5 about
> security of resumption.  It should reference RFC 8446 Section 8.1, and 8.2,
> which discuss this issue.  Also, Section 4.2.11 of that document has an
> "Implementor's note:" which is important.
>
>       Alan DeKok.
>
>
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email