Re: [radext] I-D Action: draft-ietf-radext-tls-psk-02.txt

Alexander Clouter <alex+ietf@coremem.com> Sun, 20 August 2023 06:50 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37957C151710 for <radext@ietfa.amsl.com>; Sat, 19 Aug 2023 23:50:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="SZsxSOOQ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="XCX+kd3x"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nG5w-RpEclJm for <radext@ietfa.amsl.com>; Sat, 19 Aug 2023 23:50:18 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2FBC1516E1 for <radext@ietf.org>; Sat, 19 Aug 2023 23:50:18 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 74D2732007E8 for <radext@ietf.org>; Sun, 20 Aug 2023 02:50:15 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Sun, 20 Aug 2023 02:50:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1692514214; x=1692600614; bh=Sq TmMaDp+f/TJp8E6YSuwvwII8spJe/hdqcG9LjaAxo=; b=SZsxSOOQ60U1veMc7m vnVZs5KmOqBIvavoKBKj2zL99eylKgvTHb+jJUDpGLE1u69BhE3mQ5J5yO4yW0RO hIp9jIAd429jRQOra+vAoAG9s+FWYFPrp51ADmmtX9heLDcWgfS0VNjFPMsShOX3 DfkqzVDATqDueVuKYxDDa2Hbs9HJFAlUKtWyNa2Kuv1edJoCIq0S3Tb8+KimqSVj ENOCGhGquY9h4dzBwVNeI7yuZVz3Kji0PT863a14Wf7hXA/a7WNoLlXhIiW26ubk D7pDBawmvhcx7vbiSVXekPEboAIDfczZJf5/IiZTx9hmC8YdrjjyJo7jzqGgKrgX 7Vfg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1692514214; x=1692600614; bh=SqTmMaDp+f/TJ p8E6YSuwvwII8spJe/hdqcG9LjaAxo=; b=XCX+kd3xYJr+M9G40gZFSyKvIJf+L 3HGnfwJP7KKgmkJUGUNweEv5cXy2UYSj4j5C7J2JFBpMTaacf1BF60sDT6cQmgS2 zD3WSjYrmRLSmUzqVpxjwY6SkMoPLNlacWDfTNNAefwc9ifm5hp++/rep/hdivMT YqD3D0P/x7Xc6STCt8TStV6+zY8QducIqgIwbscZzyO2YeSFwSjuGCs+nRhu3biy mh4riEJSIhqDAog2CxdWDZKc9ajnaXge9NQuqLl2G1h9ZkDrAw6hMdBxA/J5owdu QwTUUQSGnmogMSMK7w+pn10Y2Mqa1qcIqIHiJQHlhh8zhM3gV0wc3vOTQ==
X-ME-Sender: <xms:prfhZEltupduVnghElFO9TqLigrxpTe2mgY20jgXaO9d67t6L-bNGg> <xme:prfhZD060m0QWLrKSxvA3r76sKq2EtxV8rv0N4mAtSJ6-0dL8_xrG4yvHMNX10pUC IJjdMntTSMdkcIlNQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrudduiedguddufecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdetlhgvgigrnhguvghrucevlhhouhhtvghrfdcuoegr lhgvgidoihgvthhfsegtohhrvghmvghmrdgtohhmqeenucggtffrrghtthgvrhhnpedvte ejhfehgfegleeuleefteeikefgvefhheekheevvdekueefkeeiieffhfdvgeenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgidoihgvth hfsegtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:prfhZCrycTAskDfdxtFY1Y98U-SF4arorBz_48icNf8v-_ZQ2512cQ> <xmx:prfhZAlEse9W31DPfKZR3HjPFIkSI_-qnU0deOijyaFrWHsyNruZpQ> <xmx:prfhZC3SKRTd0jToH1h-dOTXK_OjmesVObPFjNUv6asnZYuOKELNQQ> <xmx:prfhZDDYxQcFV7RgQ3_-ex46PP_b-fGyS7z3Ee_5YnJvN7wwBhjDZw>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7B6552A20085; Sun, 20 Aug 2023 02:50:14 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-624-g7714e4406d-fm-20230801.001-g7714e440
Mime-Version: 1.0
Message-Id: <2060ecfc-65d0-47d0-9c41-edebf6478478@app.fastmail.com>
In-Reply-To: <B2006538-89E0-46AC-9834-1854D586B3D3@deployingradius.com>
References: <169238915704.56283.13664283366489431030@ietfa.amsl.com> <B2006538-89E0-46AC-9834-1854D586B3D3@deployingradius.com>
Date: Sun, 20 Aug 2023 07:49:53 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ew_i38KfISr3exoyzp-kTFkPOtk>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-02.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Aug 2023 06:50:23 -0000

On Fri, 18 Aug 2023, at 21:07, Alan DeKok wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories. This Internet-Draft is a work item of the RADIUS EXTensions
>> (RADEXT) WG of the IETF.
>> 
>>   Title           : RADIUS and TLS-PSK
>>   Author          : Alan DeKok
>>   Filename        : draft-ietf-radext-tls-psk-02.txt
>>   Pages           : 14
>>   Date            : 2023-08-18
>> 
>> Abstract:
>>   This document gives implementation and operational considerations for
>>   using TLS-PSK with RADIUS/TLS (RFC6614) and RADIUS/DTLS (RFC7360).

Looks fine to me, "ship it" (after touching up the paint job).

"Implementations MUST use ECDH cipher suites", is this not meant to be "Implementations MUST support ECDH cipher suites" or because pinning cipher suites tends to not age well?

s/labelled/labeled/g   <-- probably my fault, I think I nitted the US to GB in the last one
s/incorret/incorrect/g

Typo in: "We note that the PSK identity is a field created >>but<< the connecting client", should be "We note that the PSK identity is a field created >>by<< the connecting client".

I think someone here had a preference for non-compressed CIDRs: s~192.0.2/24~192.0.2.0/24~

Thanks