Re: [TLS] Comments on draft-friel-tls-eap-dpp-01

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 14 June 2021 17:38 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 842803A2BF7 for <tls@ietfa.amsl.com>; Mon, 14 Jun 2021 10:38:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.595
X-Spam-Level:
X-Spam-Status: No, score=-9.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=C72q5OQM; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Zailr2yY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8OLqiId0UBuG for <tls@ietfa.amsl.com>; Mon, 14 Jun 2021 10:38:11 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8197E3A2BF8 for <tls@ietf.org>; Mon, 14 Jun 2021 10:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13956; q=dns/txt; s=iport; t=1623692291; x=1624901891; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=c63hRk0Bi6L7z+sLuy044lN5CRnX/wMN4m/mUuaUwQk=; b=C72q5OQMzS5p2QE9E5xTQZG/T70ABg5bXhndEBg85AtkexhGuSFF4YSh ay+mmGkFiCInJqm4OosF4nTpCOO2tdMSk0Il2oGTDsnwKwEiyFnSSSBBL UkI2e8jHHcPRUK8IjlXhpWIqRu4iu/jwxj4RQI+ftTJ+v/m1muq1h36jH 4=;
X-IPAS-Result: =?us-ascii?q?A0AhAgBPk8dgl4QNJK1aHgEBCxIMggwLgSMwIy5+WjcxC?= =?us-ascii?q?4Q9g0gDhTmIfAOVGIUAgS6BJQNUCwEBAQ0BATcIAgQBAYRQAheCUgIlNAkOA?= =?us-ascii?q?gQBAQEBAwIDAQEBAQUBAQUBAQECAQYEFAEBAQEBAQEBaIVoDYZFAQEBBBIRC?= =?us-ascii?q?hMBATcBDwIBCBEEAQErAgICMB0IAgQBDQUIGoJPAYF+VwMvAQ6ddgGBOgKKH?= =?us-ascii?q?3qBMoEBggcBAQYEBIUqGIIxAwaBOoJ7hAwBAYJng3oIHxyBSUSBWIIqNj6CY?= =?us-ascii?q?gEBAQEBgUUaK4JqNoIugmc2aUMOAoIDAS0BQpBgg2GID58dCoMcig+UABKlZ?= =?us-ascii?q?JVSjBeYGQIEAgQFAg4BAQaBVDmBW3AVgyRQFwIOjh8Zg1eCZIIwhUpzAgE1A?= =?us-ascii?q?gYBCQEBAwl8h1MBgRABAQ?=
IronPort-PHdr: A9a23:fuOyPhQzzdypjTO0CGzViWuBVNpso1vLVj580XJvo75Le76ouZXvI EKZ4u9i3xfFXoTevvRDjeee86XtQncJ7pvJtnceOIdNWBkIhYRz/UQgDceJBFe9IKvsaCo3T 8hHXUVuuXC2LUYTH9zxNBXep3So5msUHRPyfQN+OuXyHNvUiMK6n+C/8pHeeUNGnj24NLhzN x6x6w7Ws5p+vA==
IronPort-HdrOrdr: A9a23:n3f+Lamjax4DQMpiFBf3dKL57SjpDfOqimdD5ihNYBxZY6Wkfp +V/cjzhCWbtN9OYh4dcIi7Sda9qXO1z+8T3WBjB8bdYOCGghroEGgG1+vfKlLbalbDH4JmpM Jdmu1FeaHN5DtB/IbHCWuDYqwdKbC8mcjC74qzvhQdLz2CKZsQkjuRYTzrdHGeMTM2fabRY6 Dsn/avyQDQHUg/X4CePD0oTuLDr9rEmNbNehgdHSMq7wGIkHeB9KP6OwLw5GZcbxp/hZMZtU TVmQ3w4auu99uhzAXH6mPV55NK3PP819p4AtCWgMR9EESvtu/oXvUlZ1SxhkFznAid0idtrD AKmWZ4Ay1H0QKUQohym2q05+Cv6kd015ao8y7ovZKqm72IeNt9MbsauWqcGSGpt3bJe7pHof 92NiuixulqJAKFkyLn69fSURZ20kKyvHo5iOYWy2dSSI0EddZq3MEiFW5uYdw99RjBmcoa+S hVfbfhzecTdUnfY2HSv2FpztDpVnMvHg2eSkxHvsCOyTBZkH1w0kNdnaUk7zg93YN4T4MB6/ XPM6xumr0LRsgKbbhlDONERcesEGTCTR/FLWrXK1X6E6MMPW7LtvfMkfkIDSGRCdQ1Jb4J6d r8uX9jxBoPknPVeISzNcdwg2XwqU2GLEPQI+9llupEhoE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.83,273,1616457600"; d="scan'208,217";a="753647507"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Jun 2021 17:38:10 +0000
Received: from mail.cisco.com (xbe-rcd-004.cisco.com [173.37.102.19]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 15EHcAKv024886 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 14 Jun 2021 17:38:10 GMT
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xbe-rcd-004.cisco.com (173.37.102.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 14 Jun 2021 12:38:10 -0500
Received: from xfe-rcd-001.cisco.com (173.37.227.249) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 14 Jun 2021 12:38:09 -0500
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-001.cisco.com (173.37.227.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 14 Jun 2021 12:38:09 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A/4heE3JO79z2wp9Aih4b0wBfJIbrhZ5iciJL0dp+X0TII+k/LGOEP7Vqs0y1WG1CZHCKzc8LdDa1gWaR6BVeKOVmFlc63shh968TUaVzF2OoJvw3zk85fNQkKCO89PsXemUXhGiDqjpqymF9Iy2mFti6mJpQZyS/bwSYLLQZDP9Ll7kyF6mx2MGbkbA6AkXBIZHBxzpHGE8Y9pqxOY0Mz+O/YPFpUCmxHE/thGDh5q73FZ5yGlvyLZtqDgiBNl5r/o7WOhZQ/7qiu+KyEqHyl+jt8Csc3bptGZLuWBOMH2zf8Yljsucz/f5lqQYe2ZjvVnBIam23M/wWJkwsTq/rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c63hRk0Bi6L7z+sLuy044lN5CRnX/wMN4m/mUuaUwQk=; b=L4u60Fc7wBi4cBWmI1l/7uN0G50xG3yY7szcPhiRtfiTU6iitiYFQ3nEaLwOwnosBKtJ6Eb3fwXjWCqi0vDODZNVYrx9pMZRG9rzroDB+QRWwLStTpIrkJzUXjTeoPIDbmlKgbGq7TtDFxw0iNLtt1thgAPNofQcztTcE2FCa09y5HWxqirDqMZb6Iwqyq7P032rCqLL4rr9Qih4uIBrxFoDYxfImOkMtP+G8oW6wuYceeknWBAOx7NaSbSUfhVfoMLbaSTcKHVRoUZCvPs5q0qSjvqjwsm6o+hlqfyco46nJg9+DqjDvRApy8Tfe0QZPmYwlHIMt0ng+HOZk4Q0VA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c63hRk0Bi6L7z+sLuy044lN5CRnX/wMN4m/mUuaUwQk=; b=Zailr2yYstS3BUVodsRipp/b52c247PJ7n8y6BhaUxIO6f2LDlxcKDH4Xv0wabuu7PBR0FZ7R7/SbwFSCD8+zjwuaJv4y/oYSUjTOxBLeOnSht0vx+yhaXP61grVTirMAPmnQDhrx56q0fn9KHru8F0uGVtB0+ZDdaJAHaabVGg=
Received: from MW3PR11MB4746.namprd11.prod.outlook.com (2603:10b6:303:5f::15) by CO1PR11MB5090.namprd11.prod.outlook.com (2603:10b6:303:96::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.24; Mon, 14 Jun 2021 17:38:08 +0000
Received: from MW3PR11MB4746.namprd11.prod.outlook.com ([fe80::1d42:a719:2d22:a163]) by MW3PR11MB4746.namprd11.prod.outlook.com ([fe80::1d42:a719:2d22:a163%9]) with mapi id 15.20.4219.025; Mon, 14 Jun 2021 17:38:08 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "Owen Friel (ofriel)" <ofriel=40cisco.com@dmarc.ietf.org>, Eric Rescorla <ekr@rtfm.com>, Dan Harkins <dharkins@lounge.org>, Christopher Wood <caw@heapingbits.net>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Comments on draft-friel-tls-eap-dpp-01
Thread-Index: AdcUK5KzkyVwqQdJQtW6ZIcpT4HkiQACInQAAAsT14AAAnDOAABEnHWQAAqDvIAABkRpAAAAPbAAAAIhmGAS3l90sA==
Date: Mon, 14 Jun 2021 17:38:08 +0000
Message-ID: <MW3PR11MB47467380489ED9EEB90EFEA1DB319@MW3PR11MB4746.namprd11.prod.outlook.com>
References: <BN7PR11MB2641059009817305AEDD597FC1939@BN7PR11MB2641.namprd11.prod.outlook.com> <CABcZeBPzqTukj2m+DbufB3c9vwUPnCGyNQO22z0QeRbN9Csj0g@mail.gmail.com> <c0dbb4c9-af78-c64c-ad4c-22130f75e9cb@lounge.org> <CABcZeBNxczqb5Pzo5UBjGgy0-0Bb8Gj8hAz7GPTyqCFyUg315w@mail.gmail.com> <CY4PR11MB1685A02865105A18E21A10F2DB919@CY4PR11MB1685.namprd11.prod.outlook.com> <CABcZeBOx-=B4O2uEwaN6WQWR28BeNuo2q-cuifJhXwTuo5XS6A@mail.gmail.com> <f8cc2469-8740-f2ec-13e8-50272d586de5@lounge.org> <CABcZeBNJYqP=2fg=CJnvL_sFgbdYQoKVR+_X-izVanDou6mncw@mail.gmail.com> <CY4PR11MB168523D20EC64AA0B863B9CCDB919@CY4PR11MB1685.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR11MB168523D20EC64AA0B863B9CCDB919@CY4PR11MB1685.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.39.121.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 11cb0c28-4cc0-4269-8b80-08d92f5b2c7f
x-ms-traffictypediagnostic: CO1PR11MB5090:
x-microsoft-antispam-prvs: <CO1PR11MB5090477AF5D592E939E58CC0DB319@CO1PR11MB5090.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SXlBVRBQiF0LCuxdvelDeYQPZXl3lr/Jz4rYWcAwvIGztGP5t36C5z0ckFqWME78jtMXh9bUp3Hk9AX+Si22b1//cgPjFFxpW3kEqgqiZM/ns/u/V+Qc2RJRD/gRltSPLgVCZvMHPEqd+mPObkBdisNsISkqX6P93xp99FV5WOVks9oYSQ5iIrzqEuR4AsgH6iV/QHw6+0l38WoNYPG99S9A4DQiI+xSYXZ5e9IKDhfwcclqA+nmq9oIfmV4uV2KbefhXSuQBmcxG8EZ2as4EjF1Dp2GE5bRdxQWJuq6TkNUN+Q93xK58xuJm2De/SXFG/FmtJjecszr/2uCnppwTgkdBrbehLbcRNhhrQ5vhbvoThypNfD+wtkcrGRJbh45JxphDTtMdCCmcqpZrSsiGhG7cMORYYX3hydVOdlPBuyO1bC+3Ohl+zTyC2kmZTkImZKB3jEJiMscgS+cn/i4s3EMwMyuyNKKUpC5OxnwF7Fpmjm2Txi4HDSnNN/Fuwd0Ay/B5Pk/9V/ft+uCCeYl7ziTMSh3hbQr6Mt/FwVBFYTqPP0MJgRzcCjfEN2/lRyuRM2z0Y1qnVqGd4vSiTyxXDvJ4NXf+6S1rRp0JPkU5iRqLYNtwTk8s3fwPqz97HD0twpIVoHFJHPduekOQjhGfznwabu6mqKatEGSLVeU2jN84e0sGOwm7fzWLCKij6kC4y2upo8hH8jTSS1uiFxgpw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4746.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(396003)(39860400002)(136003)(376002)(166002)(966005)(21615005)(6506007)(53546011)(66556008)(64756008)(52536014)(4326008)(2906002)(66446008)(478600001)(71200400001)(66476007)(66946007)(33656002)(7696005)(76116006)(38100700002)(8936002)(55016002)(83380400001)(9686003)(86362001)(186003)(110136005)(8676002)(5660300002)(26005)(122000001)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?eWVSTkFycFc1OHFsT29YS1FlbDJNMHZiS3VZcTJObmhXUlVncXh6akU4cUU5?= =?utf-8?B?YWVuK2VwWnh5RkMyYk1DYXVzMHJFODFlYkUybm5scEk3bEJmVkJDdjdPbVhZ?= =?utf-8?B?MlNHNGJYbXN2dTZaTHM4eWtoQUoxY21Ha2JFVkZaTXdrb2duZTBBRU41STkv?= =?utf-8?B?elh1ZGhHc2k2d0N0Q3dtNnlGOTE1OElzdUpZNS8vY1NsMUhDVmI1Yk14bzFu?= =?utf-8?B?RE5pZUgwRDdqaXZKUWJ1STlLeG5PbHVEYmJaeG5RcjYyZnppL0dMWlZhaEhj?= =?utf-8?B?V3RVSmpKbnNUaytMc1YxMWNHb3ZTOEVSM1hlZW9TRmR4OWlSTHBtOUt0cGRF?= =?utf-8?B?WkE4YmltSU55bHVFUU5uczZvSWwrQmJvMnRIZ2RLRk9QVld6dDJQaVFSTlA5?= =?utf-8?B?eXJvcVpRNFlRelRJWjdReHpjQTdRTURHOXlJZUdNWi84Z3p3RXlvOHhXRFAy?= =?utf-8?B?MUR5KzZGWjNXcHlGOUFQTFFjNEhQQUFKTko0ckk5ZnJwa0lkTVYwMStBRzRm?= =?utf-8?B?RVJLU2RLdXk2QUgwc3BPbjBIS2hOSHlONlpSWGtjS2dSSFBLL2tGNWE3bW5Q?= =?utf-8?B?MnJFYnJDTmRXb09VSlRLRXF3VVF1Y1pzZ21qOC9JRUxmeXNVYUNGUURZaHpK?= =?utf-8?B?bkVGTG8rRm1VUFc4dFozNHk2a2RmSVFaRjJHWUFxSjk0RjZhTnFvbSs3Qm9K?= =?utf-8?B?NGhCMXpJOGJ3ZVNKbDBzQjBJc1Jld3p2WUtkUTI2SElyNW1uOGVwSnhrZGF3?= =?utf-8?B?T2hWaDg3cG45TEJqc1pBMXBjcXQwcmw4MHJIZDAzSDBCcnI5dU9wRS9vdTdU?= =?utf-8?B?bVZCd0ZtV3ZEcmNSbWdsT0wrR3YxY1JhR2xNaE8yQ2tuL0NJVm04c200WG1W?= =?utf-8?B?ZExhWDJpU0l2Z3ZWcS9IVy9KUmN5dGtMV0FOTWMrU0lCemkwM3dUWnZVRTZi?= =?utf-8?B?NjBnYVRMSUIxbGNEWlhmYWlxSEZ1UE5NRFkvRjh3RUVoU0JzVTJEdWpRbWVx?= =?utf-8?B?M0dscDlCcFNXdDMxYVFSL3BQMkFtMXQ2RWhDSHVaY2M1Q05qSG5TSVJSY1pD?= =?utf-8?B?MzA3cldhVXg1ZFhpUm8yV2EzbmxXQWkwWHlpMEdwNXByZFJKYURqZXoxbFVo?= =?utf-8?B?L3cxbzBvcFQ4TlhWb1o4eERybnc5aHlqTVQyTENWcWNJNkdKL2I5VGp5TVNX?= =?utf-8?B?TjZGRTlvSFNHY2R3VTRKdm1XQ2pyeU9qVWltRlR4a2VyN2dZZjF4SHJVajAz?= =?utf-8?B?bjFMOVZ5aE1UL2FXQmxIMWpSWjB0Y00rdkNPYTJnMSsrNFFhM240NDZvRnFX?= =?utf-8?B?OTEzbUgxY0tlMmkvVVZxenNmUENoZ0orblBwZ1hWcitCN1ZnVVlDcXJsdkM1?= =?utf-8?B?aHl5VWQzNXpyZGhMZnV0UEtzWVRhdlZoUWUwUnVFdVRLWkdyVVUrT3lIbUJz?= =?utf-8?B?bVJMWlJvYTRuQUpGcHNaeDJwU1ZqYllHR3E3NERoRVhzZnROV1RLMW9TVmFt?= =?utf-8?B?dW1GNy9NTklkekdDWHAvQjJWZHN2Tm15R1hrV0x5VVlQd05Fc3V3alZjV0Vv?= =?utf-8?B?Wml2R3NrNnVwUmEzSmEwSTUwQ0dlaFdZNkVieW53c202dTRleFhXZVp2ekNq?= =?utf-8?B?aFR3VWpqUzlubUhEM3VBNjBCVDExYVYydlRDTEY3ZlZSRE1JUjFRU3ZLZURN?= =?utf-8?B?eEF5NS8vUEw1SDVHejNVRDlIcmoycjAxREJ1ZjFFS1Yvd0FUY3JNQ3dlNzZo?= =?utf-8?Q?SisiEV+NJFQ4Z0hvNe8yesh2t/FBVHiQJg8tbGK?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW3PR11MB47467380489ED9EEB90EFEA1DB319MW3PR11MB4746namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4746.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 11cb0c28-4cc0-4269-8b80-08d92f5b2c7f
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2021 17:38:08.2869 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HzqG842rlnaeOKJH0sde1QDsbwuP4IOmc7Lrvx64gvS6ptZyiAEdV4CshndN3Ba1+4VwmrPlG+W0qKzEQAAdJw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5090
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.19, xbe-rcd-004.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/chQWq3rZy-zNhgQ7h4nbDRfdI9M>
Subject: Re: [TLS] Comments on draft-friel-tls-eap-dpp-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 17:38:17 -0000

I have this working on mint - PSK derived from DPP public/private keypair, leveraging RFC7250 and RFC8773, was about to fixup draft, but realise that we need a flag in the ClientHello to signal to the server that it is a special PSK derived from the public part of the public/private keypair.

This could be done via an extension, similar to RFC8773 tls_cert_with_extern_psk, or Richard pointed me to this: https://chris-wood.github.io/draft-tls-extensible-psks/draft-group-tls-extensible-psks.html

Chris, Ekr, I think this could be a good mechanism to define a new type for this derived PSK, rather than a new ClientHello extension.

Thoughts?



From: TLS <tls-bounces@ietf.org> On Behalf Of Owen Friel (ofriel)
Sent: 11 March 2021 00:26
To: Eric Rescorla <ekr@rtfm.com>om>; Dan Harkins <dharkins@lounge.org>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Comments on draft-friel-tls-eap-dpp-01



[ofriel] Another requirement is that the full public key Y_c is not transmitted as part of TLS handshake from client to server. We cannot not use RFC 7250 as is. Instead, something like the Known Certificates proposal in cTLS https://tools.ietf.org/html/draft-ietf-tls-ctls-01#section-5.1.3 would work.

Is that a primary requirement or a derived requirement?

  I'm not sure of the distinction you're making here.

Well, once again, it seems like the technical requirement is that:

1. You want to authenticate the server to the client (as noted below, I don't think that the distinction
you are making between "assurance" and "authenticate" is sufficiently crisp to be helpful).
2. The only secret information that the server shares with the client is Y_c.

But this doesn't necessarily preclude the client *sending* Y_c, it merely requires that
it not send it to anyone who hasn't proven they know Y_c first. For instance, if Y_c
was used as a PSK (as owen suggests), then it might (again, no analysis here)
allow the client to send Y_c in an RFC 7250 certificate message because it would
already be being encrypted under a key that required knowing Y_c.

[ofriel] This makes sense, and should avoid having to use cTLS ‘Known Certificates’ for the client’s Certificate RPK.