Re: [radext] Discussions about RFC6614bis
Heikki Vatiainen <hvn@radiatorsoftware.com> Fri, 13 January 2023 13:05 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46CC9C14EB14 for <radext@ietfa.amsl.com>; Fri, 13 Jan 2023 05:05:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-hCp4hGhtR6 for <radext@ietfa.amsl.com>; Fri, 13 Jan 2023 05:05:22 -0800 (PST)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E032C1782BA for <radext@ietf.org>; Fri, 13 Jan 2023 05:05:18 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id az20so33105019ejc.1 for <radext@ietf.org>; Fri, 13 Jan 2023 05:05:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=3KPy90hEjzy2yzgu7CYxNnPih97budI4eyhFhda7/x0=; b=gameN+V/kh5L1gRLSCXAnj8IHp//Oz+aDbxxik/+Z7u5e4rQlwdpkjt6uK4bvVru08 civ9xaaGYyqgwwqBTfiGMvq8qEzTHmMyzX2i9YSSX888CNRklLY1bhEVunOtA9eismQS lahOs2x4gCpHQpq3h6Rfif1ltMlJSdKWz2Jc79XGrPPGN1ykmUu4sEw7TG8ixhwLzKFj zWen+3fVuSBdlVt8tDrA2nSonETg1zo8arc5Eji1h1m19D5tbClW+EXEZ6uyLqV7ZA21 MyDZxWqMdWUIcMkqpLpBrygtIXUPG4X5s0feUTYXsULbb/Ra4yWoA33AuYisuZp5p/wn XNqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3KPy90hEjzy2yzgu7CYxNnPih97budI4eyhFhda7/x0=; b=iFl01jqAKI48Gdv1RTm/2oY8YpPAKXj4Bbc7PV6xJ68yG9E03Hzg2urJI+3GR5TO5i MMttk8Jzk1pZO6ARXnPWUNEHK+y5DKJSPmg8GQySayKwqG8qFQ7mD2vJsxSx2HJprsj5 Aru4Ev2VVjmjkWL+AMzd1ui/RtKJp2OiXYDchyq8iMhANpSLQrNBrgwPWIsZ4++xu76t xOURY1UpKMptTcblRfgKhWm/8PoYvBMwm922Y9D/7d1lSkBzhpejoU/xAuVBeyUx6rEZ 1rpjfvSeocZpaWa+wky+L8vqrLJFCIPWbd5D21XgWGSshAjc88pkCfIIffG48BmPck2W rwXg==
X-Gm-Message-State: AFqh2kojVgnwvHpg34gBWOlsGmpJrntgmy27zbNEfaQMlx2l4nIJ8Wz8 doH7GK/1AS9FKgrDUiZhAYwvpWTxFg1DLBikBmdeOf13GvRPdUJD
X-Google-Smtp-Source: AMrXdXs6Oh2fnCmgVtY0SYcERepSAM1cjjgEvXON2s7fGq4z79hAHmtYH5XKwGGT3UOWwLsPexI5kKjxx7HSFesdHFY=
X-Received: by 2002:a17:907:1c17:b0:869:2463:1e9f with SMTP id nc23-20020a1709071c1700b0086924631e9fmr543715ejc.527.1673615116106; Fri, 13 Jan 2023 05:05:16 -0800 (PST)
MIME-Version: 1.0
References: <a53edd01-f255-7a9d-5ff1-5ca1d28aee59@dfn.de>
In-Reply-To: <a53edd01-f255-7a9d-5ff1-5ca1d28aee59@dfn.de>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Fri, 13 Jan 2023 15:04:59 +0200
Message-ID: <CAA7Lko-uANwr6FpmKafErySYDURfmjQE+9wF03aeY7NeHobFYw@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007c98a605f224e213"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/d9Rccjvt1ikAIwxwk67s9_4Ymas>
Subject: Re: [radext] Discussions about RFC6614bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 13:05:26 -0000
On Mon, 5 Dec 2022 at 17:48, Jan-Frederik Rieckers <rieckers@dfn.de> wrote: > we have started some discussions on the RFC6614bis draft on Github: > https://github.com/Janfred/draft-rieckers-radext-rfc6614bis > > There are already some open discussion items, if anyone wants to join > the discussion there: feel free to do so. > RFC 9113 'HTTP/2' defines a profile for using TLSv1.2 and TLSv1.3. Something similar might be useful for this draft too? https://www.rfc-editor.org/rfc/rfc9113.html#name-use-of-tls-features https://www.rfc-editor.org/rfc/rfc9113.html#name-prohibited-tls-12-cipher-su Using text in 9113 as a helper, together with RFC 9325 'Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)', could help to ensure that the draft has up-to-date TLS requirements. I noticed the current github version already notes RFC 9325 but does not go into details yet. For example, RFC 6614, and therefore the current draft, requires TLS_RSA_WITH_AES_128_CBC_SHA but does not explicitly require RFC 7627 extended master secret. This, I believe isn't acceptable anymore because of 3SHAKE and other problems 7627 addresses. Idea of using RFC 9113 as help isn't my idea, I lifted it from John Mattsson's email to emu-wg list: https://mailarchive.ietf.org/arch/msg/emu/oTAM41Od_Oy4eXhb6K1oNo9gg4I/ The above message also has a note about upcoming NIST requirements, which are likely useful to have covered with RadSec too. After the chartering process is finished I'll post the open items of the > discussions from github on this list, but for now I didn't want to shift > the focus from the charter discussion. > I can add this to github too, but I thought I'd first float the idea here on the list. -- Heikki Vatiainen hvn@radiatorsoftware.com
- [radext] Discussions about RFC6614bis Jan-Frederik Rieckers
- Re: [radext] Discussions about RFC6614bis Alexander Clouter
- Re: [radext] Discussions about RFC6614bis Heikki Vatiainen