Re: [radext] New draft: RFC6614bis (RADIUS/TLS)
Alexander Clouter <alex+ietf@coremem.com> Tue, 25 October 2022 11:14 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36994C1522AB for <radext@ietfa.amsl.com>; Tue, 25 Oct 2022 04:14:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b=U7hcSwTF; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=OofcTdTV
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXNstfF6pwjV for <radext@ietfa.amsl.com>; Tue, 25 Oct 2022 04:14:35 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B68DC1522DA for <radext@ietf.org>; Tue, 25 Oct 2022 04:14:35 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 732F732000D9 for <radext@ietf.org>; Tue, 25 Oct 2022 07:14:34 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute4.internal (MEProxy); Tue, 25 Oct 2022 07:14:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1666696474; x=1666782874; bh=1fwBCZFyTx on4wkfb6ekKAb0TC4FIaCdvjpHYMMTvtY=; b=U7hcSwTF4anYTBEwt7EOssqE94 PjRLqgQFGC5LzmXXBD3HuNHppZy7n5fR7PRPMHqRETatSgMrw/8kWRJgH64p5Via G4HfLWQ7FARLUWbKDXmpnxHZrvqeseI+NQRqoRwKZCYIstxsXCS+FL3mQA8+7k8Q ijMrgjDE1nAldFltUORsmFUBTMe9f2Hv7eI+OsMflocIaaml3a8jWuVcDu7zDTw+ BMG1QDCVqR33hD98JKEKOU9CfhS5jxomcn9JXqWtrCQ/eZurTJZNqnLxaieNCc2+ MCbX+2eSmEV2sxvxPoMIKwNJXIeSKO6c1KF8EM+xLIKXyg7gPI+TmLvUHpSQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1666696474; x=1666782874; bh=1fwBCZFyTxon4wkfb6ekKAb0TC4F IaCdvjpHYMMTvtY=; b=OofcTdTVxPgbbrGHSQs0++VPizjLldb9KKb2qYVxZbBx LjeNciAbWAPkewbtLRexB44nf/fR0CaXm0GE/hC+ghd61o6Vy5iWrVh0xYmyMDJ0 a9NfVUkZ7maKa+1b0wIT/EfkA7A76z7Crx8XjEtz1tUkZOVHXgN7YwsmNmALZeGO dkH/i17y7910E/zNEX6PNZuDOngaQBDbbysCxrycDii1KdE36REGSg1+NixXS93V Gg2NWrFNWzlz4MtD4O+2oL2GZCKQ5SBZwwXAug1Xgcq1d5p9UwZo54Ns5uRGDAY6 ODODPFCEib+Igu/WQXprgnXildWugO24TE3woOrpIw==
X-ME-Sender: <xms:GcVXY8J_xPQaXL2gZk2jpgrwBY7eW1s-JMa-wNQaV3WrXkD-cPHilw> <xme:GcVXY8LNQA3Fcp3dABrVi8HsrzIr5VgndSlxdFW4XzIkOT9Mw4AU7JLPXRvAxfARx Kix2xSuPncMl0G4LA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrtddtgddtkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgv gidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedutddvhe dvgfdvieejheffgfelgeduhfetvddtuddukeffjeejiefhledukeetudenucffohhmrghi nhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomheprghlvgigodhivghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:GcVXY8s_rL9FF1A9Sh_fFpJLg3ZpDxODqxg32oQbdPx_Uaj-lXr5MA> <xmx:GcVXY5b3rntaUqZOtekYcPEJAzza9oaeVTlbEsJ40sQ1gAY-rFs3OQ> <xmx:GcVXYzbze2rZ7gCjwJcPGGdK9xrILx3Kb8lkFCNtE20OZ-jkxqumqQ> <xmx:GsVXY8lgCBpnB_Qsi7S8THgk4IcFYs1aW7OSkbgsHbe6d2eN3PL_Ag>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CD83B2A20080; Tue, 25 Oct 2022 07:14:33 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1047-g9e4af4ada4-fm-20221005.001-g9e4af4ad
Mime-Version: 1.0
Message-Id: <7ba979a3-7eca-4d14-86a2-10141ba4b437@app.fastmail.com>
In-Reply-To: <d9a015f8-60a7-8eb1-65e0-ea19633c3784@dfn.de>
References: <d9a015f8-60a7-8eb1-65e0-ea19633c3784@dfn.de>
Date: Tue, 25 Oct 2022 12:14:12 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/OxZ1aVzYG0xheWchqmtcXbHimFQ>
Subject: Re: [radext] New draft: RFC6614bis (RADIUS/TLS)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2022 11:14:40 -0000
Hello, On Mon, 24 Oct 2022, at 16:00, Jan-Frederik Rieckers wrote: > Feedback welcome. I cannot find anything mentioned earlier, but do we now get to remove Message-Authenticator[1]? At the moment Message-Authenticator is a MUST for EAP-Message and the draft Status-Realm-Request[2] attributes. Not sure what the secret would be in a (D)TLS connection unless we intend to use a hardcoded 'radsec' but then there is still the issue that MD5 is lurking in there. Thanks [1] https://datatracker.ietf.org/doc/html/rfc3579#section-3.2 [2] https://datatracker.ietf.org/doc/html/draft-cullen-radextra-status-realm-00#section-5.1
- [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Karri Huhtanen
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alexander Clouter
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Jan-Frederik Rieckers
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Peter Deacon
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Bernard Aboba
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Bernard Aboba
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Matthew Newton
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Alan DeKok
- Re: [radext] New draft: RFC6614bis (RADIUS/TLS) Stefan Winter