Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trust models
Stefan Paetow <Stefan.Paetow@jisc.ac.uk> Mon, 21 August 2023 23:46 UTC
Return-Path: <Stefan.Paetow@jisc.ac.uk>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3B1C14CF09 for <radext@ietfa.amsl.com>; Mon, 21 Aug 2023 16:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_nky4loM24R for <radext@ietfa.amsl.com>; Mon, 21 Aug 2023 16:46:13 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2062.outbound.protection.outlook.com [40.107.247.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3205C14F74E for <radext@ietf.org>; Mon, 21 Aug 2023 16:46:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ly9DfbMS0mPwIuq0ZfQUORxeTqzXOXf35lgFlvim4AzDzM8Cr3LR6h4O/7+8JfeUOeg3iFRLXrddGksoprNEFu+6Q4KK1dRv9cu5mrY3LpFJI38fnhDQXYAkeK51VYjPNebmrHRFOuTFIgeKUvqRaaNtQwg6nvUPn7Ig2giOYncccy7NRUdLv+IFFf4G5s5pIw5BVdK4+DlOCELL7i9O/U+Vz76F8kIX3k1eVBCCKR7R9U6yUVo5gB/7VWyauZR8KcEvR33Nu9B3AIROgXswhVGtRliE/Ip51Ee6iIU8W1X9rop9PgAqmSgZR3COlB/cfXBiPanYQj+s1WUfYMx0Iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=14D2H73Iym0v3+1ZRATQvKQ05C/pNZJI8T+1ekUf6YA=; b=JrTKFuU9B17rTXp8F68FuYy8LWFmL/NF5itcyJ/biOhVUioXjFZ0R+d6DQU6vUoIgtcY9NDbD/14Eni0yVkewYhvy4mp0tVgPnT+YphkkPeIND2rwZQ0frYgLF79ErfARQhh5spVK9OE+X6zevDXcZ750mTfeU8ISmGwHiP1vFEtwzKzO6D6raThG3r18IjlsGIf95I0wMJutWtpzp/YtWU9YEe4+mk57uaCusqkTPLK7ues/ZEGy/UR7pmNk3Frh3048QSKdPyz+RSw4tuDisdrPe0+lV4qO077JBil3NqY3ozxJCUxx+SDLOemFtHv3FgQLaEAbTr6V/b1i1cxWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=14D2H73Iym0v3+1ZRATQvKQ05C/pNZJI8T+1ekUf6YA=; b=JpiE45+vesZjpjsCeurGwhlVueqghd9Ouyk9CFjViXPL0kTRKGM1VBuhsm6UHALvqpgomOUAG0W2yXyGcBoCm1yL0FeD5vvI2ZYXXkVRrCl99J7pho+bDk4v7gqovYVP7KDMF6Xk8EiI/5rTmKVIxP4Cvmb1+cL0yASlEb0RTm0=
Received: from AM0PR07MB4209.eurprd07.prod.outlook.com (2603:10a6:208:b5::19) by AM8PR07MB7411.eurprd07.prod.outlook.com (2603:10a6:20b:248::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.24; Mon, 21 Aug 2023 23:46:08 +0000
Received: from AM0PR07MB4209.eurprd07.prod.outlook.com ([fe80::e351:6d88:92f3:d4fd]) by AM0PR07MB4209.eurprd07.prod.outlook.com ([fe80::e351:6d88:92f3:d4fd%4]) with mapi id 15.20.6678.031; Mon, 21 Aug 2023 23:46:08 +0000
From: Stefan Paetow <Stefan.Paetow@jisc.ac.uk>
To: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trust models
Thread-Index: AQHZzDsaCJ7jGv1OkkWB4jtr6sP4S6/mjqsAgABSJwCAAZIAgIANGMqA
Date: Mon, 21 Aug 2023 23:46:08 +0000
Message-ID: <24868A3B-AB66-49A7-9328-3530F243C46C@jisc.ac.uk>
References: <009301d9cd13$915a30a0$b40e91e0$@gmail.com> <5AA65516-0FE5-476E-BB0B-F670AFCAF397@gmail.com> <368D0314-E535-4176-A844-1FA378A4A1AA@deployingradius.com>
In-Reply-To: <368D0314-E535-4176-A844-1FA378A4A1AA@deployingradius.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.76.23081101
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jisc.ac.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM0PR07MB4209:EE_|AM8PR07MB7411:EE_
x-ms-office365-filtering-correlation-id: a5571b8b-2c5a-4d02-6fec-08dba2a0caaa
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FW57mun9SOXyqrwc0Xuwxiv5qKnwcZntQ8Xzc3QAVQvj6APZdtZ/sra6SabPPkOAoQ6mfq/2kQirE0ne5MdzyD5qtF6T2lqfdDTz+kiUr1o5kM/zTUfUmbejlhA94UvZx+AQgToYD1Kz68p97DZm2TBAnj8AOKG+5LFN6ueUQjoxJQ0s+os+YL18eL9O2RxHiEPQQAlcO1CT8QZHrqRm7IWiXmpfeP7tazcXbRrM6Yvo/vGOivClxNVp9oticOg9d0ggRXsXAwnLxrOgSOK1B5jTBsQwNDgPClKCacTP3asw6ttsy0kTyEfhsz0UH1tXi13ssJli55CyAId8JvDIYxNptoWj40fv7gfFV3tNQjw85MSajJjCnv5XwZqjuC4kYPpHCkZE8MKrQzI9r+eDZ9wubArl6ONYFM7QiXvvjUhQpFfyz/nXvSE3t+CGvklyWTyS7Ia8iKLVgsSj3dAWp2d++su6ylgdRh1s2cyXEWsCnRwe6m9I15uScAo53lCsb1PSiXC/Z7upzIYY1XTyDTh33NeXHuT/Hf23rgDuPZ/2aOJwVusSnZGUYBWV5WQzHLn++5iWrvdBkFFpQM+por55xiM7J3xdB1Os5rb+TVvo9qgxIklSjTLmdMKPeiIXHmlRvCHfSsCA2sVhwg7sNI2wmIqCPaEWAyeOXE9H74n+SSMOCVu61Saoftceced161wrANygfQ2l3ZqVl9BD1EWFa8lQg/T9/SeoCBO50Haa+PPoHoYb30US1O5DiM2X
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB4209.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39860400002)(346002)(396003)(376002)(366004)(1800799009)(186009)(451199024)(2906002)(66899024)(38100700002)(38070700005)(83380400001)(122000001)(53546011)(6486002)(66946007)(6506007)(66556008)(76116006)(316002)(6916009)(66446008)(66476007)(64756008)(786003)(91956017)(71200400001)(33656002)(41300700001)(6512007)(36756003)(478600001)(966005)(12101799020)(86362001)(45080400002)(26005)(5660300002)(2616005)(8676002)(8936002)(170073001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wvNSrYgheIUm/Q9Xw/XYdBErnXY3T5ZVe62ssdDoIyQyBQ3dEMqbQCLCnUlWkRXCpZGk/6/GZidLm80rjanhDfXmwBFxbRQluc6Fspuwt/sQoexn9e9vYf+YNOW8h8CmHAZNlohy/CB5fggk1LZtYvX9ISJ0T4cRgPl55NoA6Y088UIIiTxoL1A2HNUZ6KGXWs/JqFS7skkxH1X4E61j+XLHQTTp02NeocrivmvRxzQ/xLO2WPsqJI5UGD+PD4iqVX5gaJpNxDxgitHUfVgHwSIDpcq3kIV5thrhusyKZpKHmUFBFZSRjd8yrU3dYUZf10Edqv7keBV23HlB+VwWZID/3J6LDYj+ZyLN/10CfbjF595yciHRBDj+P0P3D2sl3s3EX7bwcc5rP7lJlEoeedti1VZLw/bSf5ARof/QM9Kdbbpkm+RH1V/epKhUSqrfHFvZ7obThF/Cq2kd1PGKQGuPoD/0M/P+ROox8snd70ruOtaFmOS4RR90qBW1j9DSN8WJnv0g16sS2cst8fX5f8sm9fFm7/i1M0hKfLviggPGCeOexRg1oIgDlyEEpcmxRf4jJM3YRzdbTO1UYp2rTkUA0hbauQmeNT0VDCYRb40pgG+frOoERiRQiMiuDwH761/i0xE7s9OdY5w5qoPytsIbxfPBhTBTzNIVWIhIFUJZ2bewPtQML+FRQkWfFkf3rcc/rewXdFERKG0IOfB7FsxgmyvSwFZtR0WU8hGo0OQdVHSa1BMqHi1lu8Q3+FZEeWFPRbz892MDgLk1IFu8pOOo3Z2YjgFx0JjubOnYnzq/Z/I4aMVpyBZlO2jQN/bqnKisNzdk9BgbW2+COiYKQrDcVdBeu9kb/BWKi6/DYmul3lwapYLGZTJ3OxxvvAJj+NltXATmMiLGVh/hx5JiI/OfOsgEzSOk/AfcmphOjj7x8MiTJG2OoA2EKNRK7qVUwIUEhEWoAV88vzHPeb8SdzJobOxyEQLPMXcWlD6M7S/dvKju5AcT0ByKikvSmSCgdWcjStFpryc6Ow6R17ykFJZjsNbhDCReGHfzYxrVD4ZvKx6cjUlu85ARpW3I3VQv7P5RrsFeA1mGg81vgv3RnMEVyRa9n/OYcLf5sG0p2Zx/htVpVd+rbtWU8NkU92z8VeLztCUKi7vl8l+Byvflekr19q8QrZWSgPmK6LMnJ36TnIi0PGN5OZis0ObaWkbOfj+i8d/NJlxcF8F74LPsryYrzhrplT9/XZBOJdbMSyDeSF1VAvwrdAV9+T3X6ecpJBZRNo6yTxvvOQlfqQ3Wopp/Y1JYC5kHmOH8GeBA7l1pd2hCYe0tzhRffOrmP3vnOosgVgzXP1+7hEYfbNWlS79HqyzxGld/1as84YNuYnD2EyMtYpIE6Kx3r9gQvnt5TPNDym3Ne5a49AwUuhMc374PFZT5Zt5SHiR2y4w0MmFTredEB6ucw3hL1dVqT+a/xZcNmTgP/DLFC5nmUvXW5FSiUWMHX5tAabtkUGlMBNN5Nz6tNYeQBGNTanKreS2SuFtatu07XuAIxv4SJDLGTcYIbeih2YpGnKT/gG1pFmk4k7MUE0w6+Py/UTXEOc8rC54dm5ZwVMIIiXOF9XDadQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <D14B0F5C0C032B4980479103B274B785@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB4209.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5571b8b-2c5a-4d02-6fec-08dba2a0caaa
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2023 23:46:08.1328 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Pyz4WMASiLKUdDby/WvDgRiKMBc/6IB91HiTjWDzct9lURC5qgcrDERy36W/ahCObs97Sczd1IpnuSlmqGVGObb4bGqt4EQVrklWIK/BRkg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR07MB7411
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/tPbFs5eF8pWa9hC-MkHRRBAHFe4>
Subject: Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trust models
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2023 23:46:17 -0000
Just as an aside: We've had this situation with a vendor recently, and I can say that yes, sometimes you have to say "sorry, but not having RADIUS/TLS is not an option". Thankfully, the vendor has the technical skills and our assurance that we wouldn't be jumping ship, so RADIUS/TLS is being implemented. Now TLS-PSK would be an interesting future feature to suggest to them. With kind regards Stefan Paetow Federated Roaming Technical Specialist eduroam(UK), Jisc email/teams: stefan.paetow@jisc.ac.uk gpg: 0x3FCE5142 For eduroam support, please contact the eduroam team via help@jisc.ac.uk and mark it for eduroam’s attention. On Wednesdays and Fridays, I am not available between 12:00 and 15:00. jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800. On 13/08/2023, 17:46, "radext on behalf of Alan DeKok" <radext-bounces@ietf.org <mailto:radext-bounces@ietf.org> on behalf of aland@deployingradius.com <mailto:aland@deployingradius.com>> wrote: On Aug 12, 2023, at 12:47 PM, Margaret Cullen <mrcullen42@gmail.com <mailto:mrcullen42@gmail.com>> wrote: > After thinking about this for a while, I am concerned that if we add significant new implementation requirements for RADIUS/TLS servers in this specification, one or both of the following things will happen: > > - We will invalidate existing, RFC-compliant implementations of RADIUS/TLS, > > and/or > > - Implementors will simply ignore us, continue referencing the old RFCs for what they actually implement, and our specification will be irrelevant. That is a tried and true RADIUS tradition. "I know the RFCs say to do X, but I'll just do something else instead." > Right now, RADIUS/TLS, RADIUS/DTLS and TLS-PSK are in separate documents. So it is possible to implement an RFC-compliant RADIUS/TLS client or server without RADIUS/DTLS or TLS-PSK. Multiple implementations have done that, and I don’t think the new specification should render those implementations non-compliant or incomplete. As an implementor, I'm fine with it. I think it's best to document how RADIUS _should_ work. And if implementors decide to ignore that, they can take the heat from their customers. Another argument is that if an Open Source project (or two) can do it, why not a multi-billion dollar company? > I’m not sure everyone understands (given what we say about “the D being silent”, etc.) that it takes significant effort to add DTLS support to an existing RADIUS/TLS implementation. UDP is substantially different from TCP, and there is less open source library support for DTLS than TLS. TLS-PSK support is less work, but still not trivial. TLS-PSK was maybe a few hundred lines of code? (1) implement the various OpenSSL callbacks, and (2) expose PSK identity etc. in the configuration. DTLS is a lot more difficult. I blame some of that on OpenSSL weirdness. Their DTLS implementation has best been described as "alpha" for a long time. > IMO, the point of this effort is to move a widely implemented and used protocol (RADIUS/TLS) from Experimental to Standards Track, while combining and harmonizing the RADIUS/TLS and DTLS specs. I don’t think it is, or should be, our goal to substantially raise the bar for what a minimal RFC-compliant RADIUS/TLS server needs to support. I don't see why not. Many of the existing RADIUS specs are decades old. This one will last a long time. Why not recommend the system we want, instead of the system we have? And implementors are not likely to be strongly influenced by the specs. Witness the retransmission timers recommended by RFC 5080. it's 15 years old, and many client implementations ignore it. > Do we have any reason to believe that if we write a specification that says “all RADIUS/TLS servers MUST support DTLS and TLS-PSK” that implementors will actually do that in the near future? If not, I don’t think we should say that. They won't, but I would argue it doesn't matter. > I think we should mandate what actually exists today: “All RADIUS/TLS clients and servers must implement RADIUS/TLS”. I’d go with “servers SHOULD and clients MAY implement DTLS and TLS-PSK”. There's good reason for that, of course. But I think it's best to document the system we need, rather than the system we have. The alternative is to never fix RADIUS, or to give bad implementations a free pass. As someone supporting multiple customers fighting bad implementations, I would prefer to have the ability to push back on those implementations. "I don't like it" is not a very compelling argument for fixing the product. "Your software doesn't follow the RFCs" is a much stronger argument. Alan DeKok. _______________________________________________ radext mailing list radext@ietf.org <mailto:radext@ietf.org> https://www.ietf.org/mailman/listinfo/radext <https://www.ietf.org/mailman/listinfo/radext>
- [radext] TLS-PSK and RADIUS/(D)TLS - MTI trust mo… Jan-Frederik Rieckers
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Alan DeKok
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Margaret Cullen
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… josh.howlett
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Margaret Cullen
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Alan DeKok
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Alan DeKok
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Alexander Clouter
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Margaret Cullen
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Jan-Frederik Rieckers
- Re: [radext] TLS-PSK and RADIUS/(D)TLS - MTI trus… Stefan Paetow