IETF Logo Mail Archive

Re: [radext] WGLC for draft-ietf-radext-tls-psk-04

Alan DeKok <aland@deployingradius.com> Tue, 16 January 2024 15:38 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4D77C14F713 for <radext@ietfa.amsl.com>; Tue, 16 Jan 2024 07:38:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n463cAVplrh3 for <radext@ietfa.amsl.com>; Tue, 16 Jan 2024 07:38:02 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8AD0C14F73F for <radext@ietf.org>; Tue, 16 Jan 2024 07:37:40 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id C2DF043F; Tue, 16 Jan 2024 15:37:37 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <89087622-6499-4B64-8139-75D4464B49A2@deployingradius.com>
Date: Tue, 16 Jan 2024 10:37:36 -0500
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <02F27A5D-33AD-4B35-BF46-716345E480CA@deployingradius.com>
References: <005901da242e$f623d550$e26b7ff0$@smyslov.net> <6172ba00-6793-4393-9466-37b52fe1e25b@switch.ch> <651E26F6-B0B2-40A7-B636-88569CFEFCB3@deployingradius.com> <e34c5a26-079d-4988-83b0-c53c3708ef2e@switch.ch> <57B035CF-64CA-4B93-9FEE-929D7DD80D32@deployingradius.com> <3af70e7f-356e-4d49-a1a0-a4c6d270a1a3@switch.ch> <89087622-6499-4B64-8139-75D4464B49A2@deployingradius.com>
To: Fabian Mauchle <fabian.mauchle@switch.ch>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/N9pfIkN-yEwcaHhR-AVUVRtMVZY>
Subject: Re: [radext] WGLC for draft-ietf-radext-tls-psk-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2024 15:38:05 -0000

  I believe that the latest draft addresses all open concerns about the content.

  The only remaining issue is the document status.  It's currently informational.  It perhaps could better be "experimental", to show that it is on the standards track.

  Jan-Frederiks point is that we could perhaps just make it proposed standard.

  I think there are benefits to that.  However, changing the status is likely to require the agreement of the WG and the AD.

  Comments?

> On Jan 15, 2024, at 6:20 AM, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Jan 15, 2024, at 5:41 AM, Fabian Mauchle <fabian.mauchle@switch.ch> wrote:
>> TLS1.3 session resumption requires it to be an opaque blob - externally provided PSK does not imply this, we can be more restrictive - if we want to.
> 
>  I believe it's useful to suggest that PSKs managed by administrators be understandable by those administrators.  i.e. UTF-8 text is much easier for people to manage than opaque blobs.
> 
>> E.G. RFC4279 requires that the identity MUST be UTF-8. Currently we require that the client supports this (but we don't forbid other things).
>> But we could also be more restrictive and define that client and server MUST implement RFC4279 for the externally provided PSK. Thus the server may only accept non-UTF-8 for session resumption. This might simplify server implementations to distinguish between PSK and resumption.
> 
>  I believe so, yes.
> 
>  Alan DeKok.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email