Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt

Peter Deacon <peterd@iea-software.com> Wed, 20 September 2023 00:02 UTC

Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A7EDC1522CB for <radext@ietfa.amsl.com>; Tue, 19 Sep 2023 17:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ic0RTYDCil08 for <radext@ietfa.amsl.com>; Tue, 19 Sep 2023 17:02:23 -0700 (PDT)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id 9A098C1522AF for <radext@ietf.org>; Tue, 19 Sep 2023 17:02:23 -0700 (PDT)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006194940@aspen.iea-software.com>; Tue, 19 Sep 2023 17:02:22 -0700
Date: Tue, 19 Sep 2023 17:02:22 -0700
From: Peter Deacon <peterd@iea-software.com>
To: Alan DeKok <aland@deployingradius.com>
cc: radext@ietf.org
In-Reply-To: <94B53F4B-3D37-41C7-80AC-5C233B6CF271@deployingradius.com>
Message-ID: <a144a652-c829-2b69-cf6a-a38d03335e5b@iea-software.com>
References: <C3B7208C-C5E9-4F24-A4A3-9786A4568134@gmail.com> <0A108CC4-20E0-4089-9C73-6C321969133D@deployingradius.com> <CAOW+2dtDiL1DVd+uc0cga5ng+540v1h-Fgdm3Yo=GPOUGCYR0g@mail.gmail.com> <8D4A5243-47E4-44E1-825E-8B74772FD6AF@deployingradius.com> <CAOW+2du1RLGymyy8u4C_dq76OogXH819a3u5m86dBi_s59BrdA@mail.gmail.com> <56640CFB-C826-428C-B1E0-8C256A3B222E@deployingradius.com> <bd9dad9e-daab-97e6-3544-13e32be2000c@iea-software.com> <DBA2BB0F-A5BD-41EF-96AF-CBD8A2931505@deployingradius.com> <ed5071e6-efc6-d891-8c5b-1cfaed9d6342@iea-software.com> <94B53F4B-3D37-41C7-80AC-5C233B6CF271@deployingradius.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/1e7hgy64-p-BrASXtVqcxoZJIc8>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 00:02:24 -0000

On Tue, 19 Sep 2023, Alan DeKok wrote:

> On Sep 19, 2023, at 1:20 PM, Peter Deacon <peterd@iea-software.com> wrote:

>> SRP ciphersuites are supported in OpenSSL.  We've used them for years. 
>> That I know of wolfSSL and GnuTLS support SRP as well.  OpenSSL uses a 
>> similar callback scheme for SRP as the external PSKs.

>  OK, but that's changing the subject.  If you want to write a document
>  on using SRP with RADIUS/TLS, that's completely separate from TLS-PSK.

I have no intention on writing a separate draft nor do I expect this draft 
to be modified to include PAKE.  Remarks quoted above were offered only as 
a direct response to a question you asked about support in standard TLS 
libraries.

I agree with the perspective insecure PSK authentication methods are good 
enough when you assume only keys having sufficient entropy to weather 
offline challenge are used.

The reason for persuing PAKE is I simply don't view as credible the 
prospect decades of real world precident can be changed by merely calling 
a shared secret something else and placing a bunch of strong words in an 
RFC.  I believe use of secure authentication between RADIUS clients and 
servers improves real world security at implementation costs no different 
from PSK.

Not suggesting or requsting this WG do anything at all about my personal 
perspectives on PAKEs.

>> "While there is no known way in which the same PSK might produce 
>> related output in both versions, only limited analysis has been done. 
>> Implementations can ensure safety from cross-protocol related output by 
>> not reusing PSKs between TLS 1.3 and TLS 1.2"

>> This is a reflection of inability to formally prove separation not that 
>> there is actually a problem.

>  The fact that attacks are unknown simply means that they are likely to
>  exist in the future.

The prospect of unknown attacks is what crypto agility is all about and 
why unecessarily restricting PSK to just one version at present is a 
source of avoidable risk by preventing operators from reacting should the 
unknown occur.

>  Given also the complexity of supporting multiple TLS versions with PSK
>  + certs + resumption etc., I think it's worth suggesting that TLS 1.2
>  isn't worth it.

To be clear in no way arguing TLS 1.2 should be required or anyone 
implementing servers or clients otherwise feel in any way compelled to 
support it.  Only that it not be activly disallowed or discouraged.

>  TLS 1.3 (RFC8446) is 5 years old.  It will likely be 6-7 years old by
>  the time we issue "standards track" RADIUS/TLS documents.  I see it as
>  only problematic to continue support for old TLS versions.

Not advocating anyone should have to support old TLS versions.  My request 
is merely to require TLS 1.3 or later and say nothing about 1.2.

regards,
Peter