IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 08 January 2021 08:44 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D35AF3A1149 for <tls@ietfa.amsl.com>; Fri, 8 Jan 2021 00:44:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.613
X-Spam-Level:
X-Spam-Status: No, score=-2.613 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xIscbjKCiHA for <tls@ietfa.amsl.com>; Fri, 8 Jan 2021 00:44:19 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130044.outbound.protection.outlook.com [40.107.13.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456AD3A1147 for <tls@ietf.org>; Fri, 8 Jan 2021 00:44:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PJs8s30V9qjsJjf7bgNRBwRjflgHRw8c22OeWt4epNvfEdCTGcFQqIGzoeyCJ8TsephSz8IGlmepN3uUSS6b7aiQ3ABCvJkTSwdPKvUFvZXA5xFH9BAC46UfWYU6Xxs1aIT21TomecnL2t2rR0s3Zf0q1uCkRUSOawWRTAzPcmyIzJsyMWJlhc8pzxMibmIvSIk5fqda/nhdOxB3pgP79KyWlEY+om358IcJPdLgcQuV4LuOva4somwgcG3nqN63hweeAmWCAdAyfWpZIhSdihURhx5FFVzKryUyARscZm0O+B+AfZgugInzfvn9WMttliN9AWO/gUYVzELJuLNfLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAG6KtNM0aIZ4kSGm5WiKCHKCybhAice5DYS4cyADZA=; b=W5krR/i5qGrzbSfyHESe/JFqEle0ZjgAZJT8ggyqyd6gsC52aBxnlXbReVgFgiNwWAwuos+3ov+G27hHGkfgE+S8036w6bCMGe0pYomGMq2xl/Zc4vkjK6z/YPuuOH2JU056Y4y/3F9eUZEzFzx0r2+5fMcjDrGQ/MU9obIjvqeSRc/uWMajzxI2ygtl7G6YQvQFHAW3LbFWzvvSVPmUvpQmBxDkNLe02TpCMw+Q9VwIC2L+eaArU8Pu5r0f9HGgyjOlDRqfDkOLgbqSAwqtC9oYFx5fEkS98Dc1yKnn8ZQFYLwx2raNL/aT6etZEZ0fKwLjV+nz4Xkj57MLqNHPMA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAG6KtNM0aIZ4kSGm5WiKCHKCybhAice5DYS4cyADZA=; b=o/1LIZ3Kv5R7rEC8+j5Bhtcqi5EhJxSGZHbkTnpS9lVypN1jytn6Hkj8sHSMUSy716Be4zFXbTkRqr8xqFhxxMNLqQUK+wTKrloFrLm77oRIeOoRyWY1uQ302vQMTfAU3COvX7uOWsAvUsqzT/1IPBdi4U0YjUUAib/tuZcPOg4=
Received: from HE1PR0701MB2394.eurprd07.prod.outlook.com (2603:10a6:3:70::13) by HE1PR07MB4283.eurprd07.prod.outlook.com (2603:10a6:7:a2::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.2; Fri, 8 Jan 2021 08:44:16 +0000
Received: from HE1PR0701MB2394.eurprd07.prod.outlook.com ([fe80::a012:f1c5:3df:a9d7]) by HE1PR0701MB2394.eurprd07.prod.outlook.com ([fe80::a012:f1c5:3df:a9d7%12]) with mapi id 15.20.3742.010; Fri, 8 Jan 2021 08:44:16 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Thread-Index: AQHW433EhC0VQoQD00eQIvj4fWSy5KodaIcAgAAFYIA=
Date: Fri, 08 Jan 2021 08:44:15 +0000
Message-ID: <eb7e885d-b93e-1d4c-7e54-398ec81e1cf4@ericsson.com>
References: <160815821055.25925.15897627611548078426@ietfa.amsl.com> <20201216223842.GR64351@kduck.mit.edu> <0f2b05db-5c98-43d4-aae3-cf620814bacc@www.fastmail.com> <A4BBA31B-8754-4D8C-B0F1-D1C6C859F6AE@deployingradius.com> <CAOgPGoBvBzhA0q4gFqpFSm2HkAs6NoyLc6RVZYLtTYsNd02i8A@mail.gmail.com> <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <b2b24b86-2cc0-7d01-2474-c9b25b856d0c@ericsson.com> <02c1fbac-f23c-46af-b5fd-caa3cc7cf8e1@www.fastmail.com>
In-Reply-To: <02c1fbac-f23c-46af-b5fd-caa3cc7cf8e1@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.67.160.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 84257b82-d27e-46c1-f99c-08d8b3b194d5
x-ms-traffictypediagnostic: HE1PR07MB4283:
x-microsoft-antispam-prvs: <HE1PR07MB42831DBEF8BA831012577AA6D0AE0@HE1PR07MB4283.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6q121iSK+gAOknRijMvM+GBRLLoDPfp+SC78LRHMIH9ZOkHzMKZhq54NmCQwOO3cIyZOaF2L3S8eoG81yr9lOc2sohvtXzZypGYZv5tP0nYe0BSNmANXCOp18CyDe3KhYUzpIH8egCMz/zyZavwo0yI0U0hQLTKNYNTcAD/HDZdLdtiUiRVroPVCh6307V/c07Fe7ABfu52zANFFwrM8VfhkXh5XCuHFyvO2gMBiARhPDfsdonStnoseXXe/P2HMltWIIS2WbqYXO3wsICgyxaL0pSS2gNdo6SPBJppZawoDE26sGPnyJDBAPftR04oziMZtA8nuU7GFMnSgCWRafbQffrQDqnbrkjot75tQ+SU/z07sdEhsv2pCg1UWP+3fHKqlSePQt13F9detXSb2hcRZUmH1dteJBaM8psCBYCVMAys1cTdi0tAX35e70VKM/tG9D4WuTtYEoMYIqXeZZWRRQy9vTKJW9L2+TEwBYUy8MwMLitwjzMJhxE+JmxJpFoBzjiLACkeX5nwjmoSr0CsP/PJDHl17ZJO9n6iVBzsqaSM/CN+w4F1Vow1nSQwV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB2394.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(346002)(136003)(376002)(39860400002)(6486002)(86362001)(110136005)(478600001)(66446008)(66946007)(186003)(31686004)(8936002)(2616005)(71200400001)(31696002)(316002)(26005)(53546011)(66476007)(64756008)(6506007)(76116006)(2906002)(5660300002)(66556008)(8676002)(6512007)(36756003)(966005)(83380400001)(43740500002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: zfwVDQYfENERTaKwdNwtCSZQDYQKNLq84m7Nvu7qfu4Yf2gCr8+u3wKa6CF91hlh/UBkRLODQV0OyraXr/stteg/DVZ7flG44i8Qp/q6RpclPNO6Qw1SPOzCOag5iEXXePw/sRSrWwVUkl9mpwc+p3m06LusBNzUFFbWfpGQpskdguiT5TYT8yz+fRSFtX31hTDjR0a6uE6od49r1NaW/grRxDhG72Fv7mFpcU9HsNDD1OrM+FQSFirPsdXcn/1TWAgICyH/Vl8HA4yF51quC9vNzuLGi7/CxAqyVQwvy0hn+fHIm+nChQRbjRgc56cYnS2YFl9s0ic9naa2FodRxbpgNyvQELgQOpTUmAcOimwmPI8ezOjYdGDKXxwyXys3Jj6iH5CG1NHHestpi+Jmx0hG7YRMLgQtK4XlLXn1KtWviPq7Ucjp0YyOdqdqtWvssxo60qNvNPaBipzkixyPkN7F75XIgi9G8RV1PSnZ4zzz3JFFiuS4RlQsmEelJwlcYGFlbSPFKyqXl9m/chd7J2cajIffgmIvbTxjvR167KujXWLrStWbEhM+Ge9Q9ukknLuiBvyXerEolBvn97f8YTpqWi1kaD+3U1cBmTdl9hwdKsIpUAwTJTzwW7OyPqAK4bttQD/mNqsCsePoqae//8q2auDBqXxoaDKxqiEsbYxtqOyq7fCWpzItfSMT6oHgInK4udPUBVi+w7GYlsHnaHWIhN55YPeYt7YKjyVqxy8E1NfvEQb2P/enBsV3Pll5q19k4hfPZxfEW0yVP5neSCdH3KhUsCr7i75gtpvacI5mxdRCdv5fqn4BPrQYCKSXILpu6nh8gGiRcd/Tz5cAiFhkIiUScfIkn7KZZs1srYuCjcqW2UOeDI6u+HXxE3jCByqxiQd52QevUu8H8wG27Rb6x/mhCv6Dg4jA7Skz89jb2yj8NuS8EbSkQKzP/rYmtl+oieIzpRKPrElb7jShqawKNqrTRc8HD0z+B/sOHDY=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <25B97EF58986A441B2AD7FC94F17A86E@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB2394.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 84257b82-d27e-46c1-f99c-08d8b3b194d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2021 08:44:15.9749 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6jwbKJcFxvZVPZiIgE4pTtGO0t/r2sM1ODJStVFseDBj/6FqXuPm+VkXyMLxqPSkBd5xJTm30gzwNT2y/t4vMqZoCuXW1Amz6akB31+yAPs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4283
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p8f3jrVnf65upr-CsUIMTltwZ4M>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 08:44:21 -0000

Hi Martin,

Thanks for the quick response.

On 1/8/21 10:25 AM, Martin Thomson wrote:
> On Fri, Jan 8, 2021, at 18:54, Mohit Sethi M wrote:
>> Thanks for pointing this out. I think Ben also mentioned this in his
>> review. I am not sure if it is necessary to add the type-code to the
>> label when it is already part of the label string as 'EAP_TLS'. Other
>> TLS based EAP methods should ideally register labels of the form
>> EXPORTER_EAP_TTLS_MSK or EXPORTER_EAP_FAST_MSK (instead of reusing the
>> EAP-TLS label) as is currently done in
>> https://tools.ietf.org/html/draft-ietf-emu-tls-eap-types-01.
> Sounds good to me.
>
>> I do agree with your point about the incorrect usage of the context.
>> Perhaps the ideal choice here would be Server-Id and Peer-Id (if client
>> certificate is used): https://tools.ietf.org/html/rfc5216#section-5.2.
> Maybe, as I said, it depends.
>
>> However, I checked the wpa_supplicant implementation and currently these
>> values are not available. As far as I can tell, the Server-Id and
>> Peer-Id are not exported for any EAP method. So we'll need to think
>> what's the right thing to do: update implementation/use some other
>> sensible value/or leave the context empty (which is allowed in RFC 5705).
> This suggests that the values aren't critical to any decision making process made by either peer and maybe you don't need to include them.  I would check a little more thoroughly though.  One implementation not using them isn't strong enough evidence that they aren't used at all.  If those identifiers determine what certificate is selected, or anything like that, then it would be good to ensure that peers agree on what they were.  That might mean making them available in implementations that did not previously use them.  On the other hand, if they are always going to be anonymous identifiers that have no bearing on the TLS operation, don't worry about it and use the empty string.

These values are critical for making authorization decisions about 
network access. It is more a question of where these values are 
available, exported, and used for decision making in implementations. 
Thank you for nudging us in the right direction. :)

--Mohit

v2.23.0 | Report a Bug | By Email