[radext] Terminology: Tickets, external and resumption PSKs in the RADIUS TLS-PSK draft
Heikki Vatiainen <hvn@radiatorsoftware.com> Wed, 20 March 2024 03:35 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC6AC1D4CD2 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 20:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axqrpsqbWHx4 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 20:35:04 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22BB9C14F5F1 for <radext@ietf.org>; Tue, 19 Mar 2024 20:35:03 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-33ec8f13c62so4628505f8f.0 for <radext@ietf.org>; Tue, 19 Mar 2024 20:35:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1710905701; x=1711510501; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=0vmkIbxjq7fNoaklJxtXAxzWCe6KCr6fTlONWhn9LOg=; b=gAPrMpBP/udzkSi/D+MKdej0M0nShXzVHAul+nZk4IodcPzVSOSufYcVv5x9GxEo1E QYpRGUwsU9htig3fH4Yv96wV6ll3ZuxQDX+XqEQ03wexIhGuGg/077uZ/7sVFL3NeT4c ek3K0LOYp35gp4AU6ElRvgniHgecuUlgBJdFu7SW4HeB1GRTITxWFonkQKYGDh8CC0CS V3mm1qqX3MIETyiNv5R0VnoXUK9SmYRBnAN6PFVtL09jUbKaWuk0UcZ9RCZakYgAD2Zr XdTjuWCUGLB9jJtZ2IzhWzeQpZT4zUTmL2XUXbQkxZoXTHPC4HDL2CmyfiWB1GSbPS+B ub9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710905701; x=1711510501; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=0vmkIbxjq7fNoaklJxtXAxzWCe6KCr6fTlONWhn9LOg=; b=iTT4y7aH93CA/CszwOlJ4YWvQ8CMw+8NZd7djipdzyh+kVGbL6vCNB+asnoOGmzy5b 5Rs23RyC+Typa+wrbonoieMXdFVh3xY+JhnaO40AZ/jzeANfTmsgLqJ7L1jgliv3IM0R 7a9NhsSu48n0UImiPdSKwoXvAOt5UK+2l+1YQM4V+LXK6k25PXqDHmJzs3uK222tC/Kg 5mlDB5lZtasum5bS1DZc6EZszSgTiWaady7DUaGvkOWPrRVy0R+9Gt+kHliDqnYxmnqh bIgnjzUnOzJsp8S1bM/aHxmwrKjAq8E1UxNJe8zQXmV4lavUyjtZLaD7PW7MEIzT/F4l Xm/Q==
X-Gm-Message-State: AOJu0YxQBC0FnK82yyEMBu3/klq+yu4vEIHGWrkaaNDQU7L0ZMmaqM8n UiJqbMzs3UZD/z16Rjogmt22x4Ckoc73i8gArhZV9gXdxLLuxjLPBXU6Kb2qpTXn5omLGqm0piA L0KhG2n/r97U17zP5sJzYRWY5Y4okNt+oIHptTL9PxvYaMcS77w==
X-Google-Smtp-Source: AGHT+IEGQGnsuaf1Lgn+9dbyP65dv02DcVMpl157EU2elXvEDBSp1+yCPpOw/7UaUBQGXs2GA9tk69L/ZVIWQr4eTUk=
X-Received: by 2002:a5d:6692:0:b0:33d:7e99:babc with SMTP id l18-20020a5d6692000000b0033d7e99babcmr10597193wru.50.1710905701355; Tue, 19 Mar 2024 20:35:01 -0700 (PDT)
MIME-Version: 1.0
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Wed, 20 Mar 2024 13:34:45 +1000
Message-ID: <CAA7Lko8i=MLUHyHAwZmR4kbEYjzf_7+GpihEnSCgur_drRpm-g@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="00000000000092f66606140f4635"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/4-5-l5-emo7Ui9U_jM78bugMUh0>
Subject: [radext] Terminology: Tickets, external and resumption PSKs in the RADIUS TLS-PSK draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 03:35:08 -0000
The current RADIUS TLS-PSK draft introduces term 'ticket' in section 'PSK Identities': https://www.ietf.org/archive/id/draft-ietf-radext-tls-psk-09.html#name-psk-identities In this section a reference is made to the TLS 1.3 RFC section 4.6.1 which the describes the 'New Session Ticket Message'. My suggestion is to use section 4.2.11 'Pre-Shared Key Extension' instead: https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11 The definitions therein boil down to this: struct { opaque identity<1..2^16-1>; uint32 obfuscated_ticket_age; } PskIdentity; identity: A label for a key. For instance, a ticket (as defined in Appendix B.3.4) or a label for a pre-shared key established externally. With the above it's similarly clear that the identity is opaque. The reasoning is this: this draft defines the use of external PSKs. Only resumption PSKs sent by servers use 'New Session Ticket Message'. External PSK labels are sent by clients using the 'Pre-Shared Key Extension'. In other words, 'New Session Ticket Message' is not relevant with external PSKs whose use this draft defines. Also, when session resumption is turned off on the server side, 'New Session Ticket Message' is never used. For these reasons it would be clearer for the readers that the draft refers to messages that they'll see with the external PSKs RADIUS TLS-PSK uses. To summarise the above: be clear that 'ticket' is for resumption PSKs while this draft targets on using external PSKs. I've also created a pull request that tries to minimise different ways to say 'external PSK' and 'session resumption PSK'. https://github.com/radext-wg/draft-ietf-radext-tls-psk/pull/3 -- Heikki Vatiainen hvn@radiatorsoftware.com
- [radext] Terminology: Tickets, external and resum… Heikki Vatiainen
- Re: [radext] Terminology: Tickets, external and r… Alan DeKok