IETF Logo Mail Archive

Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06

Stefan Santesson <stefan@aaa-sec.com> Fri, 30 October 2020 14:40 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328703A0BE3 for <secdir@ietfa.amsl.com>; Fri, 30 Oct 2020 07:40:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOzc0IGpSpHB for <secdir@ietfa.amsl.com>; Fri, 30 Oct 2020 07:40:35 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2BC3A0EF1 for <secdir@ietf.org>; Fri, 30 Oct 2020 07:40:34 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id C7CDE10D0395 for <secdir@ietf.org>; Fri, 30 Oct 2020 15:40:29 +0100 (CET)
Received: from s499.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id A78AC2EB3BC6; Fri, 30 Oct 2020 15:40:29 +0100 (CET)
Received: from s475.loopia.se (unknown [172.22.191.5]) by s499.loopia.se (Postfix) with ESMTP id A1ACD1CE5F2A; Fri, 30 Oct 2020 15:40:29 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s498.loopia.se ([172.22.191.6]) by s475.loopia.se (s475.loopia.se [172.22.190.15]) (amavisd-new, port 10024) with LMTP id wTSvIyf-K5hE; Fri, 30 Oct 2020 15:40:28 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 85.235.7.89
Received: from [192.168.2.50] (gw.aaa-sec.ideon.se [85.235.7.89]) (Authenticated sender: mailstore2@aaa-sec.com) by s498.loopia.se (Postfix) with ESMTPSA id 577B94893BB; Fri, 30 Oct 2020 15:40:28 +0100 (CET)
User-Agent: Microsoft-MacOutlook/16.42.20101102
Date: Fri, 30 Oct 2020 15:40:26 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-emu-eaptlscert.all@ietf.org" <draft-ietf-emu-eaptlscert.all@ietf.org>, "emu@ietf.org" <emu@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Message-ID: <2F8F716A-C063-4DF4-8384-BBD59C636C8A@aaa-sec.com>
Thread-Topic: [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06
References: <160401318284.11167.6795105917637378641@ietfa.amsl.com> <20201030030415.GE39170@kduck.mit.edu> <12167567-9dc5-6161-abef-826b0a8b6602@ericsson.com>
In-Reply-To: <12167567-9dc5-6161-abef-826b0a8b6602@ericsson.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/2sy_-xgdPdgx9rOkGllK1QVqMg8>
Subject: Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 14:40:39 -0000

Hi,

I think the text is great. 
However I'm not entirely convinced that AIA requires network connectivity at all times.
The AIA CA cert url is static and works fine as identifier for a locally cached cert
The fact that it is the correct cert is assured by the path validation process.
As such, the AIA works fine with a http cache implementation or similar or any other solution using locally stored data.
If used in a local corporate context, a cache mechanism could be provided with pre-loaded relevant certs.

But I don’t know how this may or may not interoperate with deployed base of EAP implementations.

Stefan Santesson 

On 2020-10-30, 14:48, "Mohit Sethi M" <mohit.m.sethi@ericsson.com> wrote:

    Hi Stefan,

    Thank you for the review. I have updated the draft in github 
    (https://github.com/emu-wg/eaptls-longcert). Here is the diff for your 
    convenience: 
    https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-ietf-emu-eaptlscert.txt&url2=https://emu-wg.github.io/eaptls-longcert/draft-ietf-emu-eaptlscert.txt.

    The following text was added:

    >    The size of certificates (and certificate chains) may also increase
    >    manifold in the future with the introduction of quantum-safe
    >    cryptography.  For example, lattice-based cryptography would have
    >    public keys of approximately 1000 bytes and signatures of
    >    approximately 2000 bytes.
    and in Section 4.2.5

    >    The Authority Information Access (AIA) extension specified in
    >    [RFC5280] can be used with end-entity and CA certificates to access
    >    information about the issuer of the certificate in which the
    >    extension appears.  For example, it can be used to provide the
    >    address of the OCSP responder from where revocation status of the
    >    certificate (in which the extension appears) can be checked. It can
    >    also be used to obtain the issuer certificate.  Thus, the AIA
    >    extension can reduce the size of the certificate chain by only
    >    including a pointer to the issuer certificate instead of including
    >    the entire issuer certificate.  However, it requires the side
    >    receiving the certificate containing the extension to have network
    >    connectivity.  Naturally, such indirection cannot be used for the
    >    server certificate (since the EAP peer in most deployments does not
    >    have network connectivity before authen

    Let me know what you think. I am not an expert on quantum cryptography 
    or on the AIA extension. I will wait for all the comments to come in 
    before submitting a new version.

    --Mohit

    On 10/30/20 5:04 AM, Benjamin Kaduk wrote:
    > Hi Stefan,
    >
    > Thanks for the review; it raises some good topics.
    > Replying on a couple points...
    >
    > On Thu, Oct 29, 2020 at 04:13:02PM -0700, Stefan Santesson via Datatracker wrote:
    >> Reviewer: Stefan Santesson
    >> Review result: Has Nits
    >>
    >> The document in general is good and well written.
    >>
    >> Some nits needs attention before publication as the general review also points
    >> out. Ex in the abstract "This document looks at the this problem"
    >>
    >> Some abbreviations needs to be spelled out at first usage, such as MTU (Maximum
    >> Transmission Unit)
    > MTU may actually be okay; per
    > https://www.rfc-editor.org/materials/abbrev.expansion.txt it is marked as
    > "well-known" and does not always need to be expanded.
    >
    >> On the content itself I have two questions:
    >>
    >> - Wouldn't it be relevant to also discuss the risks with regard to introduction
    >> of quantum safe crypto, if that leads to significantly increased key sizes? It
    >> could be troublesome if transition to a safer crypto is made impossible due to
    >> size limitations. - Would it be relevant to discuss usage of AIA extension as
    >> means of possibly excluding intermediary certs from the path as they could be
    >> located using AIA?
    >>
    >> Finally, I agree with the general review that this document reference quite
    >> some work in progress. If this document is to be published before these
    >> referenced works are concluded, are there alternatives to make the same point?
    > They seem to mostly be informative references, and so would not require us
    > to hold publication of this document.  It is probably still worth
    > considering if there are alternatives anyway, though.
    >
    > -Ben
    >
    > _______________________________________________
    > Emu mailing list
    > Emu@ietf.org
    > https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email