Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Alan DeKok <aland@deployingradius.com> Mon, 01 February 2021 19:53 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9869F3A1417; Mon, 1 Feb 2021 11:53:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfdgCw1xPm7d; Mon, 1 Feb 2021 11:53:02 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41A953A1412; Mon, 1 Feb 2021 11:53:01 -0800 (PST)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id B4262384; Mon, 1 Feb 2021 19:52:59 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOgPGoA9FqzEGr5_XVYVr2bairdWdNV-Bh8PX462cRKcSrjpug@mail.gmail.com>
Date: Mon, 01 Feb 2021 14:52:58 -0500
Cc: Benjamin Kaduk <kaduk@mit.edu>, "<tls@ietf.org>" <tls@ietf.org>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EAEC77E1-EFF1-4B39-9275-2D053584AC76@deployingradius.com>
References: <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com> <ca4c526e-79a0-4fa7-abda-2b626795f068@www.fastmail.com> <3409F71E-4CE4-46BB-8079-BFBE9BE83C9A@deployingradius.com> <66157321-55DC-4831-8EF2-D75934D9024C@deployingradius.com> <20210129183220.GI21@kduck.mit.edu> <1A830492-3404-4BCC-844B-D7D950458BD9@deployingradius.com> <20210201171155.GB21@kduck.mit.edu> <CAOgPGoA9FqzEGr5_XVYVr2bairdWdNV-Bh8PX462cRKcSrjpug@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rQ68Knbx1_PcgnjDGIlzh-4UneA>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 19:53:05 -0000
On Feb 1, 2021, at 1:30 PM, Joseph Salowey <joe@salowey.net> wrote: > [Joe] This could also address the early export of keys before the peer is authenticated. RFC 5216 provides a canonical way to create these IDs, but I'm not sure anyone follows it today FreeRADIUS does not officially expose Peer-Id or Server-Id. But the certificate subjectAltNames are available via the policy engine. The greater difficulty is *which* Id to use. RFC 5216 Section 5.2 says: It is possible for more than one subjectAltName field to be present in a peer or server certificate in addition to an empty or non-empty subject distinguished name. EAP-TLS implementations supporting export of the Peer-Id and Server-Id SHOULD export all the subjectAltName fields within Peer-Ids or Server-Ids, and SHOULD also export a non-empty subject distinguished name field within the Peer- Ids or Server-Ids. All of the exported Peer-Ids and Server-Ids are considered valid. > and it may be difficult to implement in practice due to ordering. It might be simpler to just specify that the end entity peer and client certificates are used in the key derivation. Most libraries provide APIs to get the raw certs. Yes. We expose the certs to the policy engine, along with various fields. Having the TLS exporter use more data should just be about updating some code. Alan DeKok.
- [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [TLS] Fwd: Benjamin Kaduk's Discuss on draft-… Martin Thomson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [TLS] Fwd: Benjamin Kaduk's Discuss on draft-… Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] Fwd: Benjamin Kaduk's Discuss on draft-… Martin Thomson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] Fwd: Benjamin Kaduk's Discuss on draft-… Benjamin Kaduk
- Re: [TLS] Fwd: Benjamin Kaduk's Discuss on draft-… Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Salz, Rich
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Michael Richardson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Michael Richardson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Martin Thomson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … John Mattsson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Mohit Sethi M
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Peter Gutmann
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Salz, Rich
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Jorge Vergara
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Alan DeKok
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Benjamin Kaduk
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Joseph Salowey
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … John Mattsson
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … Eric Rescorla
- Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on … John Mattsson