IETF Logo Mail Archive

[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS

Stefan Paetow <Stefan.Paetow@jisc.ac.uk> Wed, 31 July 2024 19:19 UTC

Return-Path: <Stefan.Paetow@jisc.ac.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99699C14F61D for <radext@ietfa.amsl.com>; Wed, 31 Jul 2024 12:19:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEursEG3LoyB for <radext@ietfa.amsl.com>; Wed, 31 Jul 2024 12:19:03 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2119.outbound.protection.outlook.com [40.107.22.119]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D2ABC14F5F5 for <radext@ietf.org>; Wed, 31 Jul 2024 12:19:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GsC+0d9EGMAL1ab9Uu7FbkNEQWWz1AxjRUcKVXFwMI1cCjE4QH660XWaRYmHY7fMpqNHm2XLyMxxwRLCeyn3LezBJc4B+fME2KWGcD6m/dIV6OFnKRN84jgHWxXv0fpRAl89UNmQov4W3p1QKVsrFOHWiEQFXNlB93xH2FDHv1UMKHH3VxtaZKUEQgHaRm2BgVutH3YKuzYkNu72K+urU2dV5/LBZlkiA+GBhrOMXItxXrC0xOpg/FT4KAKdhTYS9nHEz4EzZjoVtgYIJeXHGj0GV/1f4X3q38QYrrp7A6YIXnT8qZsZ/9wdXlJ2xtq/VfBhdsbJiUqExDVLnd9J3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ev4ph4GbOb4AAfZ5SFJsg6ViE7pIlw/NO05o6NjH2SE=; b=CCoFGcTUOvqRTwtYjeXSU5dTxQS7KawFHEYvUhLUH8gy+yNZOzrEudQWT2yOouRJJKYpJ1AGHG+v8EKuYQEUYvLd8YKCoTmuPYpRDOxBC4cZ1VuzDh9RtrTPLZ2PLO21Pa0Se68CLKZEdhZ519GE3EJ7+UBeroIVuuSL/yoleH1kI5XysywMM+mhm04mIKqiJeQisFIvUMZHtsZF0vpwOjFqjHMHHafeARggEI8kCM2rWFICFM3b5+cAfOzgE1Ia0pVBE94ryKGiaKY2t81CpbLY/jFFUtWng72es+7cbeOJzDUjFu66hHnZyQBOSmDBX7oMjldPHkrrE9dMF9gMIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ev4ph4GbOb4AAfZ5SFJsg6ViE7pIlw/NO05o6NjH2SE=; b=M1W8RVwM5Qh920QTVbYiuGFQ4GaUW79swibiTzgzGXM8LRg+eFUwhnE347S1sRfsSYtd1HgJTuD6P94KunTWXiYtQ1zR3CkRR43d/vshpnj21NyIHwRNhd4TypEJUX93re9IT9nctkF9GESar9rB8L8c7zIe06CfzIJVI7JPUDTEZYlfD4l9sWNh+WFr87MF9WBu4vpHBqg53Y9qSL0lIfxVzSgfhF2ecpxzRFbdB36CpfRkbowEfMRVuZFyMowfwloIrl41fcngq5vYf8Ry352VrIZ5O1Tj864YVQtX2Q+I3EarvoqeLzeLNlXPrAmvMj+KlCwxgsNzgYWY3j63Fw==
Received: from HE1PR07MB3372.eurprd07.prod.outlook.com (2603:10a6:7:36::19) by DB9PR07MB7833.eurprd07.prod.outlook.com (2603:10a6:10:2a1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.20; Wed, 31 Jul 2024 19:18:57 +0000
Received: from HE1PR07MB3372.eurprd07.prod.outlook.com ([fe80::22aa:b94f:61fb:67f1]) by HE1PR07MB3372.eurprd07.prod.outlook.com ([fe80::22aa:b94f:61fb:67f1%5]) with mapi id 15.20.7828.016; Wed, 31 Jul 2024 19:18:57 +0000
From: Stefan Paetow <Stefan.Paetow@jisc.ac.uk>
To: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Thread-Index: AQHa3e/Xvyy2Ixon6ECMe3ps/DqLsLIHq0wAgAHnM4CABczzAIAAWWOAgAAjJoCAAXXiAA==
Date: Wed, 31 Jul 2024 19:18:56 +0000
Message-ID: <CAF45762-BEF4-4989-8B86-654F98EB962E@jisc.ac.uk>
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <06c787ed-b989-f0ea-5a1e-0762fa63053b@iea-software.com> <84133.1721926586@dyas> <CAOW+2dtmPRL6CoeUZJSMHee+ae=DUMhEyJqzYtVHod4hgQ8xEA@mail.gmail.com> <E77247DC-B329-4805-9F3B-EA7B8C9A0093@deployingradius.com> <343079.1722369297@dyas> <13756.1722376845@obiwan.sandelman.ca>
In-Reply-To: <13756.1722376845@obiwan.sandelman.ca>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_Enabled=true;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_Name=External;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_ActionId=48f8e896-39c2-4d83-94bc-009bea539806;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_SetDate=2024-07-31T19:07:18Z;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_Enabled=true;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_ContentBits=0;MSIP_Label_190374fc-c2b5-4c8e-bee8-6305ebc1550a_Method=Privileged;
user-agent: Microsoft-MacOutlook/16.87.24071426
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR07MB3372:EE_|DB9PR07MB7833:EE_
x-ms-office365-filtering-correlation-id: d846128f-31f5-4907-05f3-08dcb1959fca
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: u/JF5FkvXrzYkONp5OsNoSMMqC09X1YdEewtWq6MB6xDw0ekkyjFX9v0D1RzpyvFFxvHYXfkktr1lzqmETnEN3pUFXkEioeLaL4Y61nS7nJ6D4fY6K5PN8YXg19lX8cGcSssQyUPDXjbeROTSNuQUSDLjoXxmK7P/ir8ckgwr9Njh3mJHaKJH/8iWwMTvp3PX+Cmt48iwASeYqPX6LLuV2xI4kDm+TvGU3zjJXHmW+7WfiOCZkeN60Bx93O8gNCy7ShNdp9tJ4T+syoXMOX208DEWfGi1XuflalxRZfMQTgpZhEOJUbGGch4q5mAjSY16KsJQnNz5/G0NcqC3K96q7e21OgXZwNfEcL7fWT5+ZNTyUACp2qrgG6MJqnzylcPIWqLeCK+VDGt3r4SggReMYlebPz9KMyErvmAq2kBpPdOUE7QHGBXDCZ+2hmxnyHINTV0mFj32Ncz6Hbx70fuAURXY4DfHdWUYAnNx9c/GDmXwECpQTO/E5VH3+cF86douVy77qfzLDZl16TFDWSHU8gDIiatXFuJiIARsDhBwiljJDbvsD3f4HsoYm10G+JHZDHbRoUR+o6v19w/ImliY0jnEWYbuoLeD9KE+d3KqbHN/SYzY/4SnI8IcmpIdvwhwB4+dqWCxo2PRX40Cblue/Ve3zXio7lHDCHWbSNm37200lnyrzMDOSG9N1wJGGrnKoAwwhGccE0YXGWkLEsHiS3Ergut+N+zUlgVuxqW5yLt1H1fNrjobE87j/hYCCr9eQfBiHeIyA3fjfQJp7FE8JLzJNeXe8xpzIhwrWzPHHKpkqN+jIGEl8aHA9pS6bTf9GYw9X8UTX5MYZoxSANUghB56J1c7Qg5cl8p+SrYk7BSqJJDQw1DALRZ+o/ZirL1IdD3i1tCJ8Xg0lz0RYJE1BbWU0IDebCUNzyUcoMwGtB6lHAruBZ0dgrN4PCchGLSGA5BESuDPIctdWMi29KjKExzPbbcQ1W66yjXmFyQoFrIKwVkF4N00KtupVog5nku2qkfc2s5Tp98qnegg/Uw1ygwTp7rJKAuKO0Ghyv07zB/KWvahiEaOKlH2gXaNuu73GvdSUHtegytM6g736M7KxjFiSytr8TP1KkoKaRRXVlUDyQ2zZTy5RD9LFNgo8ofPrw2v81Jga+xe6Ibuj+MHWgoy2qY4OS1ilfsS5DcdSQa70J9s65C85eN7pzvaa+4t9W756tuwv8jx4G3HGx3qYlxVjy00WtrGuysX5I4V1LGZqtdX7dWB4sjmYBCy2G8aoHL9Dch0zpzmHK0K3vV8wHGZiNGQCnEgDASh34eRhLYr8vzCgsXZjzD5gSOI1fOjeczC+riXEnxXNFPayMN9FcwZn1v4FmoADSksKJ9/Mq0XMi9MTHmEXAG8l4dO9MUPcDxrdqaXO88laFRNa+PuA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:HE1PR07MB3372.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DtbLWxi97DcOVWPbLP68BJwegN/JRBzGBuAqJmVVImESC+XlcO95eKEsYmMzSy4OffP6sIvUBF7ukD8xBQu7udu3q60YTglAD3vFgalc4Zy+yWSKzjoFu510pekaAMtFqsWZ5NKDlXHtPfGyR0cC91Zl65lPupz6OzTRaxmCLB1jHrDAknl3Bq6vldknBkBRDWu3R/ch9NIwN1z1/Cq/LqDlQuI1QFBUFboYfFs1sdTBRFeFKdlZrs5djRBNrFKs9A6Snur7UBnaXKVsZGaxzKIAX3Of1mK12DNEMnrGpGh3bJ30bH6+QheSXTWCXei+MpWSoLZ0FONjEVjarj/RMQqDR7vbxMnQQk15JBg4Fn/iFZ51/4wuGqzwP1KQQqPDyaB1QIJ5NAStBl/gZvpjKspCMokyeRXe8TbjMhD6Vnz/5GvLtysAj5qHXZYKhhyFPR5TPZtPz7tysXmgw7eQkn8WFCRMpkYmQrNnIco9Av/LlFo8seSF4CnD+6XHxeipwuQa/Tsvq16C0bN3sA9xbGrULS1WZq7UXArQ49jwfPLUcskMCE3eF0HJOVXPPaQXLK45kDvc1LBvsauyEgqQSuU8Tkw/S85l2zNBX2vKrise0cLz0y2Av89HtGCsaJP8z7MVYAwLcSTJIHdUsNQyuSeD82V+ZjGzz1f7rzRuUAp/8oN0PatnOK9NxP98Ypujt0RDjedfpL0u17mUaTu2+CUhCnUxOfeNkVmmfooPbx016CX1rpqCdKRMCsNykWXZjeRkAYLdJogdu9YN8emWvJWyto7W1/vK2fymnbSDNRYBx8aXLbuBuDm7TsXLgkaG3lOLx+9xFnBwqFzrrKx7tm3idVaiuf+XzDWFQUfv0FJgkxtCsFSxlN2F/gH0EnsCZCG6oOeUgn98BqJFomaN7Hxh01FGm3OBlrWUt1zBPFSM8LUXIkHwGcFcNqQe1Xwo0kwN19kuqXekv9ouzMGCCd9FPSz4+koAzgY55Kbd+lVLrGjh5HgVVdhPJt1q59lLuiSUIyb5f+YY0PKpcoIGF8+k14hTQ1L/uJjZ9PHZ3VUuY0w3fdXBkQMtB+U1RgIrj5d0gZhTSJFO0v+cb+PVftMZ0WjEWkvcX7PSaUgCZHgQ0FVyyVj9Xi5ZIUqdJQdZSSMwxaVha523QtzcSHVwP2v/aKA6AigQ69f7R8wGlOR9ms50w1Da2REwhz+W3yyMQEhLGFB5ElUP1sHai0kd6PgbS0Ft071K+sgc8YeRCmoA1SZGomvYop0ZJ1oSNjJ/aqW9ELz1sOkalXRiGBhKUGhaYHw9s3ahJj872Z2IOINRT4yS0ar8s2EFOpuKIl8bDK1bQKYFDAKhb/jp9ZYGnj0WcQ//GaDSPKIcFdJVbvpeXmZcjd19ukmh/RljBSroY8Z9gTaqt082Jw3mby3tJNycgg6/SmyUtY7A3PbkWQ0+YNBQVB9++EHgX1gOG+a4bvF5ODeVHaQ9jPawg9XjgInJeXpyWnS0AeePnLYgjkp77XAPHHyWuFZ9u1KZ2UHqhrtfOy/TXJaGFtC9I77q7B3Z4GmswZCATv3ymgoOosPSVJclfRohhIx7+JFbvHWRdYCvrHohXex6O8vkLWlKBw==
Content-Type: text/plain; charset="utf-8"
Content-ID: <1F1372A3406AC04EB890CAA09A49AEC7@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3372.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d846128f-31f5-4907-05f3-08dcb1959fca
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2024 19:18:56.8455 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sxl1pYAyigAxjTuodnjw1UPvQfkHrXiTS0bfa/6kipfUWskD890nNzjVT1d1jsBQ8qFlts1zSB946thM55X4/iFrCLobYlCSToEF8JC89N0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7833
Message-ID-Hash: Z4B56BE3RZVKHLYZDETDUCFYHNFOZU5B
X-Message-ID-Hash: Z4B56BE3RZVKHLYZDETDUCFYHNFOZU5B
X-MailFrom: Stefan.Paetow@jisc.ac.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Vrc3KJjCBFvXX1gVgqUya-uSAwc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

> > For server to server (proxy) situations, that seems quite reasonable to
> > mandate 1.3.
>
> Or to put it another way, if eduroam declared TLS 1.3 or die, I think that
> would be okay.

Well, it was fun mandating TLSv1.2 to start with... ;-)

I can only speak for myself here, but I do agree that if we want to move ahead and make this as good as possible, yes, TLSv1.3 is a requirement that should be enforced from the start. It's certainly something to raise in the next eduroam steering group meeting to see if that's possible. I guess as long as you have OpenSSL 1.1.1 or appropriate equivalents, you ought to be able to stand up a RADIUS/TLS deployment regardless of platform age. 

With kind regards

Stefan Paetow 
Federated Roaming Technical Specialist 
eduroam(UK), Jisc 

email/teams: stefan.paetow@jisc.ac.uk 
gpg: 0x3FCE5142 

jisc.ac.uk 

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.

v2.35.0 | Report a Bug | By Email | System Status