Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 20 September 2023 15:05 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48C0C15108F for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 08:05:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2gnWkbTQjj7 for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 08:05:44 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CBB2C151080 for <radext@ietf.org>; Wed, 20 Sep 2023 08:05:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 07C2F39956 for <radext@ietf.org>; Wed, 20 Sep 2023 11:05:43 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7EznZ_mRJRka for <radext@ietf.org>; Wed, 20 Sep 2023 11:05:42 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 2E0F439955 for <radext@ietf.org>; Wed, 20 Sep 2023 11:05:42 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1695222342; bh=a8StDK1z+X19EO3BSpKIwH8+TjJip1Y9KArmWFW1QTU=; h=From:To:Subject:In-Reply-To:References:Date:From; b=q2o8OjId4DS6hoPUIOm5+AoVK2Zy/pJTt57BmPkrRykcIPxfnsq4MjCWlyl7Y+NCF YtnCPGkXSvKqhwGe3pZYjeA86UkglHKXR7ANiFCz45qOjvPkurz6XObzPEuzLaBNL1 yovMM3jwVY5O1OvIuL7TKNd5aLym2uBYGGlSHYCH5mdjbGBtl2WFQgfNTOm+dS/e/Q g/1GYkYNkNMbWFojfwnIf+7FEYF7rmBD3Z6kHZSNWDs0CAEYyh5GQsNJWOJ3BLLcDh yRWttuQXwgmxHLHSkMhP1nbpAtd9fi5IxxetLKH+JTCXPR0xEkE6yKIoLuMTixmEyj g8sXj7AFtFiug==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 2988C63 for <radext@ietf.org>; Wed, 20 Sep 2023 11:05:42 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: radext@ietf.org
In-Reply-To: <CAA7Lko8sDWY1nJxn1BkG0M1pLRuoOQhvnZvorLgZxBEBdzLPbA@mail.gmail.com>
References: <169290062850.51444.4789101133837195921@ietfa.amsl.com> <EFF9D14C-6714-4168-8C2D-A03DCB9ADFFB@deployingradius.com> <B88BB843-C4C3-418F-A6CA-4F360EB67C95@deployingradius.com> <CAA7Lko_oL5Oy9T52JnwUiaZDvUhwed8hivysoSuqY1jhXF=Ziw@mail.gmail.com> <8081E8F9-3818-43ED-8C82-3EBB093BCDBB@deployingradius.com> <CAA7Lko8sDWY1nJxn1BkG0M1pLRuoOQhvnZvorLgZxBEBdzLPbA@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 20 Sep 2023 11:05:42 -0400
Message-ID: <17676.1695222342@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/VaGXsbN6Q6ikDZmTZmH6uf0MhRg>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 15:05:48 -0000

It seems that one ought to be able to take the good old radius secret and run
it through a suitable keyed hash function such a different key is used for
TLS 1.2 and 1.3.
(In particular, DTLS 1.3 is likely unavailable on many platforms for some time)

This seems to be the best way to accomplish automatic upgrade to TLS.

Am I missing something as to why this isn't being specified?

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide