Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06
Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 30 October 2020 13:48 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D123A0EA9; Fri, 30 Oct 2020 06:48:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bE88ZMQODUBd; Fri, 30 Oct 2020 06:48:39 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2046.outbound.protection.outlook.com [40.107.22.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2555E3A0EAA; Fri, 30 Oct 2020 06:48:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GEB102smUNi7NZGrUka8cGVKCAnhhMzcAgU09l1M/82b9vv0MbzKHwy/UnTXsYmA4vwX98EAnvZnZsl5vod5Aip/rDqNdxTNNQc+PLXGT3r+N2eiGhSE3Z1DaxC1slCf4JjqIE+jii/BB3wEgRlcwgFPhAqPDrwBdROwzlCBuLlWXoaRac7fiNvRtrn1PmkLyxM4ZLvz1KCiS/m+EGqz+mxE9Y0kNxIVApGijZVgpJukQIMSxh45crB9xzuhwivBlZQwvnbsbKLSW5Ap2s2c9Eporb+8HTqQdMul8l404Ss3PS7v8bXMQ/bzPzZirI8Xw+Jr3R6on68QkLmcoU6tZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pYCXdhp4G0/RUuWv8YZ95LSVyexi7dxkw4geU02Q2C4=; b=BzWBJsGUaflf/wl8dZ9I0+1q2aInHRxqbH8tGEWnUmzzMxLIOdsibuXqpFFYA0rOB4zC8rWpuPpWtf7OXJSu2s2dTXjmROzxmIJGlRDQOw3dflKXHhD68IXgE7SPdvsJ9bDwLnOBu54mXuRU/Ja/jDEVZ4qaTz4/2ENfCLOIcUv5fch4+VAkKWfd5fwWrU9LUIeuw1rEUD05ShqyMf0+APfpdyjIYkw2NFCPm3wXjkhFnmk+S51nvwUSqNOMPoHUr03dd+awfMiEn/byiyVwlj9XPpLsAG2P+Y0h1W36jJTJQR1sy7hJPo55/txWg9fbP0cH7jVp35RkEFEI7kW8bw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pYCXdhp4G0/RUuWv8YZ95LSVyexi7dxkw4geU02Q2C4=; b=imAWpWgG+3ftncTToSWb4Bpba+8FLf4b7TgW5lrkikYPfgmXE6fXGG6W0wbrh/NLye+/CovreZl6PbvW9MihxnjmUwjoQJmPjCuH2/PQbbNqmMP+WGjmdnQDkb8v/n2oR/0pTP10qfQmCt/Smmbp7Yhy0di4RADOrWcwUSEXCyg=
Received: from HE1PR07MB3209.eurprd07.prod.outlook.com (2603:10a6:7:32::14) by HE1PR07MB4282.eurprd07.prod.outlook.com (2603:10a6:7:a1::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.14; Fri, 30 Oct 2020 13:48:36 +0000
Received: from HE1PR07MB3209.eurprd07.prod.outlook.com ([fe80::1550:2d88:a5be:95ca]) by HE1PR07MB3209.eurprd07.prod.outlook.com ([fe80::1550:2d88:a5be:95ca%6]) with mapi id 15.20.3499.028; Fri, 30 Oct 2020 13:48:36 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Stefan Santesson <stefan@aaa-sec.com>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-emu-eaptlscert.all@ietf.org" <draft-ietf-emu-eaptlscert.all@ietf.org>, "emu@ietf.org" <emu@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06
Thread-Index: AQHWrkkTSwTr5auJQke8Pqw//Tx6KKmvdiCAgAC0B4A=
Date: Fri, 30 Oct 2020 13:48:36 +0000
Message-ID: <12167567-9dc5-6161-abef-826b0a8b6602@ericsson.com>
References: <160401318284.11167.6795105917637378641@ietfa.amsl.com> <20201030030415.GE39170@kduck.mit.edu>
In-Reply-To: <20201030030415.GE39170@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [37.136.189.206]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ba5d73b1-d910-40ef-0ac3-08d87cda8001
x-ms-traffictypediagnostic: HE1PR07MB4282:
x-microsoft-antispam-prvs: <HE1PR07MB42823A004BE50BE91117CE4ED0150@HE1PR07MB4282.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: waP+WaeO/N3ilp8m4JZ4dq1EBrvMYt1UMn2ZymoyjK1DogGS57NewyUltnaSGxMbqMy9ybw19gd1vf4yA5hFllrvS8xpj1YyUiOER7yZNX2PJxoSTQWhq/5J7WfTjSy/9DD04la1GIGSgGDnvgWPQjFLdOWvIJXC6vDomBTjlSuzDI7GDx5PWF7634SooBFYJq9ULHXJJtlIZ34LOa5dO0xWgFcNakAUfNU6sw80GVE7AgF3cDKj65gEgcjn/v6S9Y7e1nAUfmDnf0zZP1WSorS4BMEnyadAA1NijLo54RZDRuX6JtB7NAm+TY7REZ9q7NSTZCZ97goa32pRppKI8imYOtL6nmiLxi7eQRX4E5VP0tx+EXUwKVJKCioKcWSnDfCnoeO0OArGFEZ9ZkSjsp0fnizGySf/VihUbummlnD5VaaExbq53LHLDD9rRxZq55sXDJRHFKq9ug4zGzN+Tg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3209.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(136003)(39860400002)(396003)(346002)(8676002)(86362001)(36756003)(6512007)(8936002)(4326008)(2906002)(71200400001)(6486002)(26005)(478600001)(66946007)(66476007)(66556008)(66446008)(966005)(64756008)(76116006)(316002)(31686004)(186003)(110136005)(54906003)(31696002)(2616005)(53546011)(6506007)(83380400001)(5660300002)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: ytX6PwytVD694xiBp7MY2kOIozHeL89H8cw4+4wdYS9CaxLNXiNGtEWvVy+UU/I6jgn4aDaa6wqcK6mveeLZtKB2L+xxHRLNJF+F0YacEefv1mA3rLWuh1lo92yZQmjmikx5G6HQ9ack0w+agWJrNOPfCW61tSXheZzn9VP5TEHUx5EBc+Yqts5fErRwFrBJPWV6FwcfP1BZPcIT2WbJn/XmClHnyanWSRVFvFYreMz8q9qSgt66A8dOeGMdYaJk0PCBoy9fmSSs/lOcd4aBwkfvC6TXXE69aewbgUrXLqfWZsr7Zx1RJpcfjNCh8X9KN8Jff/2pwS3Pj5zjCjrfbl0Eh5W5KDSUv3JSc5M1cZWlDKyFr2x+WR+L1xNrMnjaWtIAaSExpSMikPpUcZAgsx8dfBKfclfSicNtqYGOfnnkTyE0pZa5D5tlydxfkAqlwHX3HWTuAOrQdv4enacZ2ijFvyLuWFWj6H8hs2bHEarDI+6Uq6YS/Sv8NBcrP+FMZPKafN+cvC/PVi7ByZzWS8LI3mIuA04GKYajGcm6G/j6iw605eDJc+AfVo2dmLfrHFggqEme5qRhNr/VvOliaKdRvt5quIqAx/PYeXn7390Jy8c2y/5R7L4a/zNEJM+HvRLluH+x/wRCPq8wjc4T8w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <50D831937F3C6640BB6348DC7A79BC5D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3209.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ba5d73b1-d910-40ef-0ac3-08d87cda8001
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Oct 2020 13:48:36.3522 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cDhwQMKaSL26ZeT2OlBLq7rkMijy+RNUV6LGwXc683DH1YUvUatECBKIgahOTOnFOOxtJvNKavKXNagHH/NUMznBwp+P7u89ugYDags7sjI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4282
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gD_65RNa20mE3hc5txFWaY1xH0s>
Subject: Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 13:48:42 -0000
Hi Stefan, Thank you for the review. I have updated the draft in github (https://github.com/emu-wg/eaptls-longcert). Here is the diff for your convenience: https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-ietf-emu-eaptlscert.txt&url2=https://emu-wg.github.io/eaptls-longcert/draft-ietf-emu-eaptlscert.txt. The following text was added: > The size of certificates (and certificate chains) may also increase > manifold in the future with the introduction of quantum-safe > cryptography. For example, lattice-based cryptography would have > public keys of approximately 1000 bytes and signatures of > approximately 2000 bytes. and in Section 4.2.5 > The Authority Information Access (AIA) extension specified in > [RFC5280] can be used with end-entity and CA certificates to access > information about the issuer of the certificate in which the > extension appears. For example, it can be used to provide the > address of the OCSP responder from where revocation status of the > certificate (in which the extension appears) can be checked. It can > also be used to obtain the issuer certificate. Thus, the AIA > extension can reduce the size of the certificate chain by only > including a pointer to the issuer certificate instead of including > the entire issuer certificate. However, it requires the side > receiving the certificate containing the extension to have network > connectivity. Naturally, such indirection cannot be used for the > server certificate (since the EAP peer in most deployments does not > have network connectivity before authen Let me know what you think. I am not an expert on quantum cryptography or on the AIA extension. I will wait for all the comments to come in before submitting a new version. --Mohit On 10/30/20 5:04 AM, Benjamin Kaduk wrote: > Hi Stefan, > > Thanks for the review; it raises some good topics. > Replying on a couple points... > > On Thu, Oct 29, 2020 at 04:13:02PM -0700, Stefan Santesson via Datatracker wrote: >> Reviewer: Stefan Santesson >> Review result: Has Nits >> >> The document in general is good and well written. >> >> Some nits needs attention before publication as the general review also points >> out. Ex in the abstract "This document looks at the this problem" >> >> Some abbreviations needs to be spelled out at first usage, such as MTU (Maximum >> Transmission Unit) > MTU may actually be okay; per > https://www.rfc-editor.org/materials/abbrev.expansion.txt it is marked as > "well-known" and does not always need to be expanded. > >> On the content itself I have two questions: >> >> - Wouldn't it be relevant to also discuss the risks with regard to introduction >> of quantum safe crypto, if that leads to significantly increased key sizes? It >> could be troublesome if transition to a safer crypto is made impossible due to >> size limitations. - Would it be relevant to discuss usage of AIA extension as >> means of possibly excluding intermediary certs from the path as they could be >> located using AIA? >> >> Finally, I agree with the general review that this document reference quite >> some work in progress. If this document is to be published before these >> referenced works are concluded, are there alternatives to make the same point? > They seem to mostly be informative references, and so would not require us > to hold publication of this document. It is probably still worth > considering if there are alternatives anyway, though. > > -Ben > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu
- [secdir] Secdir last call review of draft-ietf-em… Stefan Santesson via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk
- Re: [secdir] [Emu] Secdir last call review of dra… Mohit Sethi M
- Re: [secdir] [Emu] Secdir last call review of dra… Stefan Santesson
- Re: [secdir] [Emu] Secdir last call review of dra… Mohit Sethi M
- Re: [secdir] [Emu] Secdir last call review of dra… Stefan Santesson