Re: [radext] WGLC for draft-ietf-radext-tls-psk-04
Fabian Mauchle <fabian.mauchle@switch.ch> Fri, 12 January 2024 16:56 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 853E1C14F693 for <radext@ietfa.amsl.com>; Fri, 12 Jan 2024 08:56:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fn1bA8CDhAKz for <radext@ietfa.amsl.com>; Fri, 12 Jan 2024 08:56:22 -0800 (PST)
Received: from mx4.switch.ch (mx4.switch.ch [IPv6:2a10:1ac0:1:100::21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3529BC14F69E for <radext@ietf.org>; Fri, 12 Jan 2024 08:56:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=2236; s=selector1; t=1705078582; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=naOiwUkJKJ57famDB6m2ZeetoUTpu0HYp0YBPJBpZ8w=; b=OgJ97pCDvS/5KKYnSVzTl16hLQ9bgn/Q923dIA3XQRi0Yzxz9x9KheO5 qNeJetnqqP4MP7x4nTA3pAzV5V6c77Q3Pgao8FNlSmVk007G/RmDiEsJ8 wkroseZPLZf+rJHPne3PApXm+RmywpKNf3W9LMyLFp1OeL9913seQx8We 19BgbwN8xYzErGRdeQNezSbBfw4y3IhboKN5eRIXRegGFrzD/6gZlqvYg VTzaMvxygB3zryYvPaqFMZX++MICF9rR4HyFSoIRclIILOmn4FghfPx+Y aQgWBbwq46sthKKyY3oBv3C2Jh+BO3HlPC4Pi3b9u1DjBbCn2KORxXxgO A==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-RCPT-TO: aland@deployingradius.com, radext@ietf.org
X-IronPort-AV: E=Sophos;i="6.04,190,1695679200"; d="scan'208";a="6600271"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx4int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jan 2024 17:56:19 +0100
Received: from [130.59.196.169] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.39; Fri, 12 Jan 2024 17:56:18 +0100
Message-ID: <e34c5a26-079d-4988-83b0-c53c3708ef2e@switch.ch>
Date: Fri, 12 Jan 2024 17:56:18 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, de-CH
To: Alan DeKok <aland@deployingradius.com>
CC: radext@ietf.org
References: <005901da242e$f623d550$e26b7ff0$@smyslov.net> <6172ba00-6793-4393-9466-37b52fe1e25b@switch.ch> <651E26F6-B0B2-40A7-B636-88569CFEFCB3@deployingradius.com>
From: Fabian Mauchle <fabian.mauchle@switch.ch>
In-Reply-To: <651E26F6-B0B2-40A7-B636-88569CFEFCB3@deployingradius.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S06-EXC4.swd.switch.ch (172.16.60.18) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/71kBWbeDMu7FF47UAwuDVuYKOkU>
Subject: Re: [radext] WGLC for draft-ietf-radext-tls-psk-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2024 16:56:27 -0000
Finally getting around to work on this again after the Christmas/new year break, and too much of 'has to be completed before the end of the year' On 01.12.2023 19:22, Alan DeKok wrote: > On Dec 1, 2023, at 11:17 AM, Fabian Mauchle <fabian.mauchle@switch.ch> wrote: >> After re-reading -04 and trying to update my implementation: >> >> 4.2.1. Security of PSK Identities >>> However, implementations MUST support managing PSK identities as a >>> set of undistinguished octets >> >> This sentence confuses me (not sure why I didn't trip over it before). >> If I follow the advise (SHOULD) of verifying identities as valid UTF-8, I would now violate above statement as I no longer support just any undistinguished octets. > > I don't think there's any contradiction. Implementations MUST support identities as random stuff. But it's generally a good idea to use UTF-8 for humanly-managed identities. I don't agree - or I don't understand... If a server chooses to reject non-UTF8 identities it very explicitly does NOT support identities as a set of undistinguished octets. Supporting 'PSK identities as a set of undistinguished octets' to me means that I have to accept random stuff as an identity - even a zero-byte 0x00 - but if I reject this identity because it's not UTF-8, I'm violating this provision. Turning this on its head: Section 5.1 mandates support for UTF-8 identities on the client side. So why do we need a MUST requirement on the server side to support random (non-UTF-8) identities? Again, I might completely misunderstand this requirement, but I don't like to ignore a MUST statement just because I don't know what to do with it. > Are resumption and PSK really mutually exclusive? Just for completeness: yes for TLS1.3 PSK and resumption are mutually exclusive, per connection (I think this is different in TLS1.2). From the TLS1.3 protocol point of view, PSK and resumption are the same thing - it does not care if identity and key were provided by an admin or established using a session ticket. -- Fabian Mauchle Network NOC: +41 44 268 15 30 Direct:+41 44 268 15 39 Switch Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
- [radext] WGLC for draft-ietf-radext-tls-psk-04 Valery Smyslov
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Valery Smyslov
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Heikki Vatiainen
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Jan-Frederik Rieckers
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Jan-Frederik Rieckers
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Michael Richardson
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Valery Smyslov
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Michael Richardson
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Jan-Frederik Rieckers
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Jan-Frederik Rieckers
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Jan-Frederik Rieckers
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Fabian Mauchle
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Jan-Frederik Rieckers
- Re: [radext] WGLC for draft-ietf-radext-tls-psk-04 Alan DeKok
- [radext] Client PSK compromise vs client certific… Heikki Vatiainen
- Re: [radext] Client PSK compromise vs client cert… Alan DeKok
- Re: [radext] Client PSK compromise vs client cert… Heikki Vatiainen