[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Q Misell <q@as207960.net> Wed, 31 July 2024 07:57 UTC
Return-Path: <q@as207960.net>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A34CFC14F701 for <radext@ietfa.amsl.com>; Wed, 31 Jul 2024 00:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGRDjVAVzu3y for <radext@ietfa.amsl.com>; Wed, 31 Jul 2024 00:56:59 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D3F4C14F707 for <radext@ietf.org>; Wed, 31 Jul 2024 00:56:58 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-5a1c49632deso7542944a12.2 for <radext@ietf.org>; Wed, 31 Jul 2024 00:56:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1722412617; x=1723017417; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tEmvfmUJcqq4lZoEG55g3L5euKqcuTQ2H7Ww3TCIyMk=; b=D/lSnJNxwrT56eK1TNgVPcgj9yI5HfsubtIK1hXF01UDP1XRiYWm2w3e74dIVnfkz9 eOO6PSg+xnTixwdDKqz8v2AUJqzeYYtrLrrDB3iap941/9crLnbjSoAzbHHPVAGWpNcW C+bgcA3SqMtefTKJQxP6qy3qHf4YCtel0mScaUMezIMroGycL+HGwSFoBBp17AYo/NUL yKhDVdxgDvpNtLeCFTKKac+XTPmKXxc96bJFHlVR9JYSeCBpObIVDXeVWy6L4CVjNoCh Gg/YCVotjgWbwaCJKFlReFGj9N1qCXC2nbmBh+PGSQndNEVVI+GRcGh+JPs7svSuysdF 8mWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722412617; x=1723017417; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tEmvfmUJcqq4lZoEG55g3L5euKqcuTQ2H7Ww3TCIyMk=; b=WoygXZgp3r1HjP4Znr201wjvQ3fLIPKTTQIFd9fuey8Y38dy2enGt/NXqeheau1OXp K1lnktRhnbhdyl747v9g5YxCfk77ZQ43HqNPdghxdC0BCflaG6X91IY/KZy3ZDpT0PAy oI+Iqk1SGPnYu9r65ykG+TQbTyKH3jt00HAttODcGDuOvHNRGTp3yflm8uRdxAt/eOxZ s64X7wWWPISVvw4PZdotWB0TM9lIzUu9GAtvpywfM3R1D3ELD50cC339FbsdNwl7LB3X 39PRXhrQksixT2vTEvpomubFbAKTdRrOCmMYU80YixlXMyVNn28tvLW0uyKFqzCjAbGj Vmgw==
X-Forwarded-Encrypted: i=1; AJvYcCUPw7GTM2VHa2GxbFdOTDqR8zejQYmhfYkSxAcL5lnKRucAplbcEAensijBY91sSzLwXqhjE0N/jSIqOCLy1BY=
X-Gm-Message-State: AOJu0YxKH7j+6gJK23GxqzSnbJCUiyggchEuAQACBtg7A/E0pDmAe27f 9iUW329EYxl6CNlQwxRPbyEhNMJ175lUIzWFEmLge1zmxvFak1nkZb++nhRnB9SDSeerD+SxL/w IZukofnG021aCQlAUDANa3+9w/JKFSUmt+hGn5g==
X-Google-Smtp-Source: AGHT+IF/uczCT6g6j8lJsvu8VLZgQbeJ+mcuZJKxRsFQBN4tPbR4ZhMfk0CqESAiEDIdaiBk+qilVF3qNoMfH4X5Pww=
X-Received: by 2002:a05:6402:3585:b0:5af:1e7b:d42e with SMTP id 4fb4d7f45d1cf-5b0221eff98mr10216588a12.32.1722412616682; Wed, 31 Jul 2024 00:56:56 -0700 (PDT)
MIME-Version: 1.0
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <06c787ed-b989-f0ea-5a1e-0762fa63053b@iea-software.com> <84133.1721926586@dyas> <CAOW+2dtmPRL6CoeUZJSMHee+ae=DUMhEyJqzYtVHod4hgQ8xEA@mail.gmail.com> <E77247DC-B329-4805-9F3B-EA7B8C9A0093@deployingradius.com> <343079.1722369297@dyas> <EF5CBC19-B514-4686-98E3-A95CDCFD7144@deployingradius.com>
In-Reply-To: <EF5CBC19-B514-4686-98E3-A95CDCFD7144@deployingradius.com>
From: Q Misell <q@as207960.net>
Date: Wed, 31 Jul 2024 09:56:20 +0200
Message-ID: <CAMEWqGtAxzoj-qUUj=2iLe+GjWpuE_AwCBLZK5151QfiT2ps=g@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Content-Type: multipart/alternative; boundary="0000000000002cac73061e867021"
Message-ID-Hash: S2Z4MBBAOR2HDV3INJU3DETH4UIZQE25
X-Message-ID-Hash: S2Z4MBBAOR2HDV3INJU3DETH4UIZQE25
X-MailFrom: q@as207960.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/fefEliqAKYSjKFHblxYW3aa1hiQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Agreeing with the general sentiment that mandating TLS1.3 is warranted. We're defining a whole new transport anyway, let's make it as secure as we can. ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Wed, 31 Jul 2024 at 02:07, Alan DeKok <aland@deployingradius.com> wrote: > On Jul 30, 2024, at 3:54 PM, Michael Richardson <mcr+ietf@sandelman.ca> > wrote: > > For server to server (proxy) situations, that seems quite reasonable to > > mandate 1.3. > > > > Are the access devices up to this? > > For any non-trivial ones, yes. For trivial ones, they can continue to > use RADIUS/UDP until such time as the devices reach EOL. > > There's no reason to limit support to an intermediary upgrade path when > the better solution is already 6 years old. > > > To me, even TLS 1.1 seems better than RADIUS/(UDP)-MD5. > > (What are we calling the legacy insecure method?) > > RADIUS/UDP is simple enough, I think. > > Alan DeKok. > > _______________________________________________ > radext mailing list -- radext@ietf.org > To unsubscribe send an email to radext-leave@ietf.org >
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell