Re: [radext] Terminology: Tickets, external and resumption PSKs in the RADIUS TLS-PSK draft
Alan DeKok <aland@deployingradius.com> Fri, 29 March 2024 15:00 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91E13C14F69B for <radext@ietfa.amsl.com>; Fri, 29 Mar 2024 08:00:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z8aN5chaOPqw for <radext@ietfa.amsl.com>; Fri, 29 Mar 2024 08:00:28 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44E1DC14F6A0 for <radext@ietf.org>; Fri, 29 Mar 2024 08:00:27 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 17718579; Fri, 29 Mar 2024 15:00:20 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAA7Lko8i=MLUHyHAwZmR4kbEYjzf_7+GpihEnSCgur_drRpm-g@mail.gmail.com>
Date: Fri, 29 Mar 2024 11:00:19 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE8BBE2F-F5C7-4E7B-A7E8-D7EFC1015092@deployingradius.com>
References: <CAA7Lko8i=MLUHyHAwZmR4kbEYjzf_7+GpihEnSCgur_drRpm-g@mail.gmail.com>
To: Heikki Vatiainen <hvn@radiatorsoftware.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/sI5DF-nDBnt2oBv6gx6rJDU_Sgc>
Subject: Re: [radext] Terminology: Tickets, external and resumption PSKs in the RADIUS TLS-PSK draft
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 15:00:33 -0000
On Mar 19, 2024, at 11:34 PM, Heikki Vatiainen <hvn@radiatorsoftware.com> wrote: > > The current RADIUS TLS-PSK draft introduces term 'ticket' in section 'PSK Identities': > https://www.ietf.org/archive/id/draft-ietf-radext-tls-psk-09.html#name-psk-identities > > In this section a reference is made to the TLS 1.3 RFC section 4.6.1 which the describes the 'New Session Ticket Message'. My suggestion is to use section 4.2.11 'Pre-Shared Key Extension' instead: > https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11 I'll add that reference and clarify the text. > The reasoning is this: this draft defines the use of external PSKs. Only resumption PSKs sent by servers use 'New Session Ticket Message'. External PSK labels are sent by clients using the 'Pre-Shared Key Extension'. In other words, 'New Session Ticket Message' is not relevant with external PSKs whose use this draft defines. > > Also, when session resumption is turned off on the server side, 'New Session Ticket Message' is never used. For these reasons it would be clearer for the readers that the draft refers to messages that they'll see with the external PSKs RADIUS TLS-PSK uses. > > To summarise the above: be clear that 'ticket' is for resumption PSKs while this draft targets on using external PSKs. I'll add a short "terminology" section to make this separation clearer. > I've also created a pull request that tries to minimise different ways to say 'external PSK' and 'session resumption PSK'. > https://github.com/radext-wg/draft-ietf-radext-tls-psk/pull/3 I've merged it in, thanks. Alan DeKok.
- [radext] Terminology: Tickets, external and resum… Heikki Vatiainen
- Re: [radext] Terminology: Tickets, external and r… Alan DeKok