IETF Logo Mail Archive

Re: [radext] WGLC for draft-ietf-radext-tls-psk-04

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 17 January 2024 08:08 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5774EC14F714 for <radext@ietfa.amsl.com>; Wed, 17 Jan 2024 00:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwbYZRxe3Xka for <radext@ietfa.amsl.com>; Wed, 17 Jan 2024 00:08:47 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F53BC14F73F for <radext@ietf.org>; Wed, 17 Jan 2024 00:08:47 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2cd33336b32so141033161fa.0 for <radext@ietf.org>; Wed, 17 Jan 2024 00:08:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705478926; x=1706083726; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=FtgWDcMOgv+wX8L1QlutS8zR7nXLVqV/MyEknxIRurA=; b=BhJxWFvnmtwEGjZbkc26cgZe3vx+ttlfNHzFnPNuJk0tE6M9F0sEEF8lG+cxHKuzy1 SCaAJDHhUFf2qdvtnE1c6fG57hCtxRTq82xjDznpbwg4mss9pEzxY2undL1SmPNuA/ay rV5STtUxMZEN6bZXFnkdpV6eHeM1SJmScEyerUNXCWoLFjE49oeuNv40tTxSLB/vfeOd G6ScEt+DrfLJS9XqE02dXm34zkXVt6r4cAn3k5s6ozaUcBAlRPSsdVl7Wsxpifsh8EyE biNkT71E0U87h/wTSDeFwuEy90PFcw99H/DgSgiQJ+MK0cNCKDer76D4qMCGK1m7e2N2 g2vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705478926; x=1706083726; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FtgWDcMOgv+wX8L1QlutS8zR7nXLVqV/MyEknxIRurA=; b=wQbgzIZWqaD6ThWiUGlGFmm0UwDjOdcdZS72jlArqG+9QdFlnyjmlHCRkQJbj1JaGH vBUp24X8pGXkQaUuDvDmWqo0v+/9cx9Kdg6rpopvsr3OyeguI/KfL7RAoV2z3uzw3er2 WysPT8p+aP18qHeXBxGNIL2UgabTA8bKqXuU5/xGP2S9aGXLIww7+JHviIm1vzKiE13J OrrwsshSdmr7mgjddn1jEVhSJEToEQX8CZPCDAGDdpa81JW3DmoedYdeZWh2NNzq6vzX w2yEVdUHQGCKkAViV8R6TnuXNnvQ4cIEDNCvgUofkye29Ip1B2QG9r+2/7UNK4yZAdla uo1g==
X-Gm-Message-State: AOJu0YwStsYfSjOQ/nb4V//q8XbUgIdCUMpTpKHPUE4Q8R3sY5MXnV4v wZ45Qr9voaIQb3GHAhShxv4=
X-Google-Smtp-Source: AGHT+IGaHHa1itsQdSRtuegHGyOo1/ctfHrPQ7I5ig0pRjRHpihcxBoMN12ROKwsyVC1cR+JNVYipQ==
X-Received: by 2002:a2e:8756:0:b0:2cc:6ca3:2476 with SMTP id q22-20020a2e8756000000b002cc6ca32476mr4426432ljj.67.1705478925445; Wed, 17 Jan 2024 00:08:45 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id q15-20020a2e84cf000000b002cc7a2f7a9asm1884305ljh.98.2024.01.17.00.08.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jan 2024 00:08:44 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Alan DeKok' <aland@deployingradius.com>, 'Fabian Mauchle' <fabian.mauchle@switch.ch>
Cc: radext@ietf.org
References: <005901da242e$f623d550$e26b7ff0$@smyslov.net> <6172ba00-6793-4393-9466-37b52fe1e25b@switch.ch> <651E26F6-B0B2-40A7-B636-88569CFEFCB3@deployingradius.com> <e34c5a26-079d-4988-83b0-c53c3708ef2e@switch.ch> <57B035CF-64CA-4B93-9FEE-929D7DD80D32@deployingradius.com> <3af70e7f-356e-4d49-a1a0-a4c6d270a1a3@switch.ch> <89087622-6499-4B64-8139-75D4464B49A2@deployingradius.com> <02F27A5D-33AD-4B35-BF46-716345E480CA@deployingradius.com>
In-Reply-To: <02F27A5D-33AD-4B35-BF46-716345E480CA@deployingradius.com>
Date: Wed, 17 Jan 2024 11:08:40 +0300
Message-ID: <000001da491c$61d1c3e0$25754ba0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFy6HCWf5vhpwO+JUqVnT9rnO3CYgFjawNzAgtfiT4Bxh5sPgFyToSnAvVzhCgCEcERBwG/Wm0ysUD2ChA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/_xbT7OBdeM406htiAqcuGd4K8u8>
Subject: Re: [radext] WGLC for draft-ietf-radext-tls-psk-04
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 08:08:51 -0000

Hi Alan,

>   I believe that the latest draft addresses all open concerns about the content.

I have a couple of nits that are better to be fixed before submitting the draft to the IESG.

1. 4.2.1 typo 
s/identies/identities

2. 5.1
I think that the added text about the historic method of protecting RADIUS packets
should be reworded to avoid use of "sign", "signing". Formally speaking 
calculating Message Authentication Code using hash algorithm is not "signing",
which is only applicable to public key cryptography. Security people are
very sensitive to the correct use of this term, so I believe the text should
be reworded to avoid negative feedback from the security review.
I think use of "authentication" or "integrity protection" is appropriate here.

>   The only remaining issue is the document status.  It's currently informational.  It perhaps could better
> be "experimental", to show that it is on the standards track.
> 
>   Jan-Frederiks point is that we could perhaps just make it proposed standard.
> 
>   I think there are benefits to that.  However, changing the status is likely to require the agreement of the
> WG and the AD.
> 
>   Comments?

I think that BCP is more appropriate here than Proposed Standard. The draft doesn't
define any new protocol, it contains recommendations for using existing protocols.

Anyway, I agree that there should be a WG consensus for changing the status
and an agreement from the responsible AD.

Regards,
Valery.

> > On Jan 15, 2024, at 6:20 AM, Alan DeKok <aland@deployingradius.com> wrote:
> >
> > On Jan 15, 2024, at 5:41 AM, Fabian Mauchle <fabian.mauchle@switch.ch> wrote:
> >> TLS1.3 session resumption requires it to be an opaque blob - externally provided PSK does not imply
> this, we can be more restrictive - if we want to.
> >
> >  I believe it's useful to suggest that PSKs managed by administrators be understandable by those
> administrators.  i.e. UTF-8 text is much easier for people to manage than opaque blobs.
> >
> >> E.G. RFC4279 requires that the identity MUST be UTF-8. Currently we require that the client supports
> this (but we don't forbid other things).
> >> But we could also be more restrictive and define that client and server MUST implement RFC4279 for
> the externally provided PSK. Thus the server may only accept non-UTF-8 for session resumption. This
> might simplify server implementations to distinguish between PSK and resumption.
> >
> >  I believe so, yes.
> >
> >  Alan DeKok.
> >
> > _______________________________________________
> > radext mailing list
> > radext@ietf.org
> > https://www.ietf.org/mailman/listinfo/radext
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email