Re: [radext] PSK identity in draft-ietf-radext-tls-psk-01

Alan DeKok <aland@deployingradius.com> Sat, 19 August 2023 12:30 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B71EC14F74E for <radext@ietfa.amsl.com>; Sat, 19 Aug 2023 05:30:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-a39VN1Few0 for <radext@ietfa.amsl.com>; Sat, 19 Aug 2023 05:30:46 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABB77C14EB17 for <radext@ietf.org>; Sat, 19 Aug 2023 05:30:45 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id CE44154C; Sat, 19 Aug 2023 12:30:42 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAA7Lko9nDsUj0O_RP-AWd+LOKNvxT-Bai-AJoY1SOU3Za5wUFw@mail.gmail.com>
Date: Sat, 19 Aug 2023 08:30:41 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3A6F18AC-6EA2-45A5-93CA-5AD603D9231B@deployingradius.com>
References: <CAA7Lko8W5T+7KQ0fr3KwvuBJM0_D-6NTAe9gZNvi8h5apPHLxw@mail.gmail.com> <10343A98-2E69-4838-8776-736265CF68FE@deployingradius.com> <CAA7Lko9nDsUj0O_RP-AWd+LOKNvxT-Bai-AJoY1SOU3Za5wUFw@mail.gmail.com>
To: Heikki Vatiainen <hvn@radiatorsoftware.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/YFFZCVehfKy4LoAKOZ0MaE6Zmsw>
Subject: Re: [radext] PSK identity in draft-ietf-radext-tls-psk-01
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Aug 2023 12:30:51 -0000

On Aug 17, 2023, at 3:34 PM, Heikki Vatiainen <hvn@radiatorsoftware.com> wrote:
> Thanks! One thing I forgot from the list, not that it changes anything, but now in year 2023 the identity lookup is likely to involve a HTTP based interface which means they could end up in HTTP GET, POST and other parameters, HTTP headers and payload. Lots of possibilities to inject unauthenticated data over the network.

  I added a comment about REST, and a generic requirement on escaping:

 When the identity is passed to an external API (e.g. database lookup), implementations MUST either escape any characters in the identity which are invalid for that API, or else reject the identity entirely.

  Alan DeKok.