IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Alan DeKok <aland@deployingradius.com> Mon, 01 February 2021 15:42 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 689A33A1266; Mon, 1 Feb 2021 07:42:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBynHlByqtdb; Mon, 1 Feb 2021 07:42:19 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2E893A127B; Mon, 1 Feb 2021 07:42:18 -0800 (PST)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 101EA381; Mon, 1 Feb 2021 15:42:15 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CABcZeBMAtmPfG0rctvO8UvnhPqY1etk=SxnonP_t6ysNxH7hVA@mail.gmail.com>
Date: Mon, 01 Feb 2021 10:42:14 -0500
Cc: Benjamin Kaduk <kaduk@mit.edu>, "<tls@ietf.org>" <tls@ietf.org>, Martin Thomson <mt@lowentropy.net>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D6AAF668-86C8-4C5D-AF1E-B37F106A4D1C@deployingradius.com>
References: <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com> <ca4c526e-79a0-4fa7-abda-2b626795f068@www.fastmail.com> <3409F71E-4CE4-46BB-8079-BFBE9BE83C9A@deployingradius.com> <66157321-55DC-4831-8EF2-D75934D9024C@deployingradius.com> <20210129183220.GI21@kduck.mit.edu> <1A830492-3404-4BCC-844B-D7D950458BD9@deployingradius.com> <CABcZeBMAtmPfG0rctvO8UvnhPqY1etk=SxnonP_t6ysNxH7hVA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Vtd_1DpNYHVJm2YfXQkj2B8PIxk>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 15:42:28 -0000

On Feb 1, 2021, at 9:55 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> Let's take the second case first. If the server is sending (or
> potentially sending) post-handshake messages after the client's second
> flight (e.g., after reading its certificate), then it can easily send
> a close_notify after sending all of them. This will appear in the same
> flight as the commitment message would have (because you can't send it
> before the post-handshake messages) and avoid the need for an extra
> round trip.

  That use of CloseNotify would be before the server receives the client certificates.  It prevents the server from sending TLS alerts for certificate errors (expired, unknown CA, etc).  That would be an unmitigated disaster for deployments.

  The CloseNotify *could* be sent after the server receives the client certs.  But that still means another full round of EAP, before the final EAP-Success.  So from that view, there's no difference between CloseNotify and an explicit commitment message.

> The first case, where the commitment message is sent in 0.5-RTT,
> is the interesting one. However, the server has no more information
> after sending SFIN than it does sending EE, so I believe that the
> easiest way to deal with this is with a TLS extension that says
> "I do not send any post-handshake messages". This would still
> leave the server free to send any relevant alerts in response to
> the client's second flight.

  Except that if the server likes the client cert, Figure 1 of draft-13 shows the next packet is EAP-Success.  So the client has no *authenticated* way of telling that it has been authenticated.  Any party to the conversation could send a blank EAP-Success (which is 4 bytes of unauthenticated data).  And thus break EAP-TLS.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email