Re: [Last-Call] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
David Mandelberg <david@mandelberg.org> Sat, 02 March 2024 18:20 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E89EC14F6F7 for <last-call@ietfa.amsl.com>; Sat, 2 Mar 2024 10:20:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=mandelberg.org header.b="tD1Dl4ok"; dkim=pass (2048-bit key) header.d=mandelberg.org header.b="AcnUL8yQ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ki7GhfCWtStt for <last-call@ietfa.amsl.com>; Sat, 2 Mar 2024 10:20:36 -0800 (PST)
Received: from mail-qv1-xf64.google.com (mail-qv1-xf64.google.com [IPv6:2607:f8b0:4864:20::f64]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7773C14F6B8 for <last-call@ietf.org>; Sat, 2 Mar 2024 10:20:36 -0800 (PST)
Received: by mail-qv1-xf64.google.com with SMTP id 6a1803df08f44-68fe8e20259so18830146d6.2 for <last-call@ietf.org>; Sat, 02 Mar 2024 10:20:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709403635; x=1710008435; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=7baH3w0aIauZDicm7T5aqHfhacGdHO5LAerRLszXpvM=; b=o+FisEVzkUbe3EJGug14rcaemM3vtU92OnBOfshzQaZjbXfZIZ9IFMdkpUdxfK7pdS iwL3o2y2GxL3GdBqTfVhktgawAvnHWdf8EpPv/sz8iOrAAgRwg/YGRKBSqcAeLn/B6M1 SVbJFlhCkyAGHnC/jrsC9qdSfVdcsb0OWk4vKSN9zEGa1WYCid7aQu8HC3VVw0FBeskW nKm4eKpvb8PL+qFMVDXOcXkA82n2iNyGp58INEU+gXw4TtXAhJ1njFiHZpMevp9T9v5f qv3M3omkYOI//oSzj2at25nM6SNKB0p6+9UacpmuXK6Norc+ZK2MNi6E8obudluDUsvu Uxrw==
X-Forwarded-Encrypted: i=1; AJvYcCV5clqb32rZBdT3Xw5dK83acFr8TNJmHdk5tE1z+D/Xy2GDgLhcIfg8bYL8knFnOmg87eeT0i6FBd/FiX0jgdMtiag=
X-Gm-Message-State: AOJu0YzNuH5pRdqP11ilB78uc+ATABxizEzEKP6vzyq20kwpsKL5qt1/ 8MmcLKNMv1peWEotSWKlxCofeYsyUVUsrkWtYZ/3mBn+XB2jTOb/hi91zph0eI3UGai0KI47r1K sW/PxOOOzL5r2Fp5UUdJdn+rVdEDlfE1R
X-Google-Smtp-Source: AGHT+IHnq+RtDAOrQpNv4M9Ray85WqVHcg2MDBqFu8o5t3Yvx1hVuu2OHHaWM8IUXUKXckbiLjPIF5tMsZtZ
X-Received: by 2002:a0c:da86:0:b0:68f:3295:2457 with SMTP id z6-20020a0cda86000000b0068f32952457mr6551632qvj.43.1709403635572; Sat, 02 Mar 2024 10:20:35 -0800 (PST)
Received: from mail-outbound-e14cf917.virgo.mandelberg.org (pool-108-49-41-183.bstnma.fios.verizon.net. [108.49.41.183]) by smtp-relay.gmail.com with ESMTPS id q5-20020a05621419e500b0068fef02d18csm280124qvc.18.2024.03.02.10.20.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 Mar 2024 10:20:35 -0800 (PST)
X-Relaying-Domain: mandelberg.org
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-597d7abb; t=1709403634; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding : from; bh=XkLhK/wTcjJXWU+e/o+WUu68WgxOpxn7K0F62EYZyl8=; b=tD1Dl4okoePSVu5uKByY604KGfJYxhaHJib5TD7RIDHX7xqU+KF326zMBlc+9kKKqcWCO 94/LV2ShwqI/3pfAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-e56dad1c; t=1709403634; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding : from; bh=XkLhK/wTcjJXWU+e/o+WUu68WgxOpxn7K0F62EYZyl8=; b=AcnUL8yQmia1GKlLftaFNPpCtjkfx4Tf5GNWtQ1HpLpLBvRULr7M5ti11Z86m7vHtjFN8 MDun+1UxywSeK5oDrUCUmMzCglil3ROCFGmGmd5lalzljvUDu3tboBM1Fc/fLg9lKNRlH7N iZLKUkzORLKMtckTFafRqCdR42SGAeWw5UOBBzjTSZ8HEaQ/JRny0BwsqWxqQDUCoNwj3fC e7gHiqHxH8vAynLd/wTOs3bQcebOfScLAFoqlOH8lG0/toWx8wxZloBruJgkAT3gX3Cm12I XiHjAj9sDi4vH2EQzEaD+bq9RRwOVY+Z4KHScHDXTbTzgX+RBQ5KLdfufBfg==
Received: from [IPV6:fde5:2b79:35f0:2::166] (solaria.virgo.mandelberg.org [IPv6:fde5:2b79:35f0:2::166]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail-outbound-e14cf917.virgo.mandelberg.org (Postfix) with ESMTPSA id 4TnCtp6flMzySS; Sat, 2 Mar 2024 18:20:34 +0000 (UTC)
Message-ID: <f3384fef-8e72-4401-86f7-c15aa3dc92b0@mandelberg.org>
Date: Sat, 02 Mar 2024 13:20:34 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Alexander Clouter <alex+ietf@coremem.com>, secdir@ietf.org
Cc: draft-ietf-emu-rfc7170bis.all@ietf.org, EMU WG <emu@ietf.org>, last-call@ietf.org
References: <170934966282.22720.15728977796194077360@ietfa.amsl.com> <b6b6b90d-ff6b-486a-ab0e-d38c7b00c79f@app.fastmail.com>
From: David Mandelberg <david@mandelberg.org>
In-Reply-To: <b6b6b90d-ff6b-486a-ab0e-d38c7b00c79f@app.fastmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/cbM76xNWbwg0IV4EV3LsFXANO8Q>
Subject: Re: [Last-Call] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2024 18:20:41 -0000
Op 2024-03-02 om 11:27 schreef Alexander Clouter: > On Sat, 2 Mar 2024, at 03:21, David Mandelberg via Datatracker wrote: >> >> (nit) If I understand the TEAP version negotiation and Crypto-Binding >> correctly, the negotiated version is not cryptographically verified until >> either (1) after the first inner method is completed or (2) just before the >> final result, if there are no inner methods. Is that correct? > > Correct (section 4.2.13), these are when the peer sends a Intermediate-Result or Result TLV which must be accompanied with a Crypto-Binding TLV. > >> Does that mean >> it's possible for an attacker to get both sides to speak a lower-than-ideal >> TEAP version while performing the first inner method, and if so, does that >> matter? Or could an attacker get one side to think it's using one version and >> the other side to think it's using another version? What affect would that have >> on the first inner method? > > I think it does but I do not think it matters as none of the inner methods are aware or coupled to the version of TEAP being used. > > In the future, if TEAPv2 came along, maybe the fallout could be that a non-superset of inner methods and attributes would be allowed and there would be no guards that may bump the state machine around. > > Not sure what could be done, as RFC7170bis describes what is already deployed. > > Maybe a TEAPv2 could use ALPN for the TLS jacket to avoid this..erk, I think I may have suggested something that could be retro fitted here without impacting existing implementations; assuming they would just ignore the ALPN. ALPN would solve the problem of speaking different versions, but the version downgrade problem would still stick around until the first Crypto-Binding, right? (Not saying that's a problem, just want to make sure we all understand what it would and wouldn't provide.) >> (nit) Also, should section 4.2.20 recommend against using that TLV until after >> the server is authenticated? > > For the unauthenticated server this means really a provisioning process is about to take place which limits what the client is allowed to do next by section 3.11.3. Those methods must provide mutual authentication as one of their requirements. > > I suspect we could limit the TLV to only be sent by *configured* clients as they would have verified the server always by that point using the outer TLS jacket. > > We though would be unable to do this if someone knows of a use case where two authentication methods for provisioning are required (user+machine auth?). If it's not feasible to require server authentication before sending Identity-Hint, then maybe at least document what information can be leaked by it and in what circumstances? Or maybe recommend that implementations don't send it by default to unauthenticated servers, but offer a way for the user to override that default?
- [Last-Call] Secdir last call review of draft-ietf… David Mandelberg via Datatracker
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter
- Re: [Last-Call] [Emu] Secdir last call review of … David Mandelberg
- Re: [Last-Call] [secdir] [Emu] Secdir last call r… Alan DeKok
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter
- Re: [Last-Call] [Emu] Secdir last call review of … Alan DeKok
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter
- Re: [Last-Call] [Emu] Secdir last call review of … Alan DeKok
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter