IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Alan DeKok <aland@deployingradius.com> Mon, 04 November 2019 15:50 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13746120089 for <emu@ietfa.amsl.com>; Mon, 4 Nov 2019 07:50:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bBGoV0osi9E4 for <emu@ietfa.amsl.com>; Mon, 4 Nov 2019 07:50:03 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D7CC120168 for <emu@ietf.org>; Mon, 4 Nov 2019 07:50:02 -0800 (PST)
Received: from [192.168.20.132] (ottawa.ca.networkradius.com [72.137.155.194]) by mail.networkradius.com (Postfix) with ESMTPSA id E7B192B4 for <emu@ietf.org>; Mon, 4 Nov 2019 15:50:00 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 04 Nov 2019 10:49:59 -0500
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <17E08795-4E4E-4507-8384-836020966BCF@deployingradius.com> <634C375D-FBF3-4297-A5C0-E68C903CA34A@ericsson.com> <CAOgPGoBko6N_JebmisoSk_EJ=Hq21sV3xoXjLw4r7D+OFSsdZA@mail.gmail.com> <CC58A292-03D6-4D70-A11F-B8FEE7311E78@cisco.com> <26738.1570791861@dooku.sandelman.ca> <AD799A14-8268-4BAF-8925-3567973C7507@cisco.com> <9501.1570802988@dooku.sandelman.ca> <DCC85780-B079-4AD0-8870-7528270B70D8@cisco.com> <CAOgPGoA0RCY+J5bDOyUiKtFy5Vk=C11yvE8O=rsJPQeS8Fzk0A@mail.gmail.com> <B31BF8C4-6568-49F2-BBD1-BD6AC66D393C@cisco.com> <20826A11-1881-40F9-8C54-82BB90820851@deployingradius.com> <CAOgPGoCAb6hbWfPLLGDXAv80Grxn1vTTxOzLctx4E+R0ZhBvGg@mail.gmail.com> <575D1FD8-9C81-4DA7-B542-71B6D78E7BAC@deployingradius.com> <CAOgPGoCu4NmJi8SR779JDORojmOSgUYqmtjNorh9GMYH05wTJA@mail.gmail.com> <A4FA2DD6-9376-474D-B02A-D90E9D8C6C6E@deployingradius.com>
To: EMU WG <emu@ietf.org>
In-Reply-To: <A4FA2DD6-9376-474D-B02A-D90E9D8C6C6E@deployingradius.com>
Message-Id: <CA9E539D-4C78-4DBF-9DAC-4850D7C84105@deployingradius.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/zb5YMqKYhE0dmGlqfn3PWT63vBU>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 15:50:05 -0000

  After checking the draft again, Section 2.1.4 does have comments about anonymizing the NAI.  But those comments are limited to NAIs derived from certificates.

  I think that the text needs to be expanded to make the recommendations more genetic, and clearer.  I hope that my previous message clarified some of the issues here.

  I would like to see some discussion of these topics in the draft.  I don't think it's clear enough that the EAP Identity should always be "@realm", and there is no discussion on EAP Identity and resumption.

  I would suggest a new section called "Identities".  This section could go after 2.1.1, and incorporate some existing text from the Privacy section.  Suggested text follows.

Identities

EAP-TLS peer and server implementations supporting TLS 1.3 or higher
MUST support anonymous NAIs (Network Access Identifiers) (Section 2.4
in [RFC7542]) and a client supporting TLS 1.3 MUST NOT send its
username in cleartext in the Identity Response.  It is RECOMMENDED to
use anonymous NAIs, but other solutions where the username is
encrypted MAY be used.

This recommendation applies to all uses of EAP-TLS, no matter the underlying TLS authentication mechanism.  This recommendation also applies when resumption is used.

The anonymous NAI can often be derived automatically.  When certificates are used, the certificate common name is often in the form of an email address.  The anonymous NAI can be derived from that address by using only the "@realm" portion.  This derivation has privacy implications, as discussed in the Privacy section, below.

In some cases, the anonymous NAI cannot be derived from the underlying TLS authentication mechanism.  For example, when PSKs are used, the PSK identity may be an opaque binary string.  Binary data is not compatible with the EAP Response / Identity field, as Section 5.1 of 3748 requires that the Identity field be composed solely of UTF-8 encoded ISO 10646 characters.  Instead, the Identity may be statically pre-provisioned.  Or for resumption, the Identity used for resumption SHOULD be the same as the Identity used for the original authentication.

v2.23.0 | Report a Bug | By Email