Below is the text for the Error TLV. This should have the error messages we
discussed. I also move the CSR related error messages to warnings.
Cheers,
Joe
4.2.6. Error TLV
The Error TLV allows an EAP peer or server to indicate errors to the
other party. A TEAP packet can contain 0 or more Error TLVs. The
Error-Code field describes the type of error. Error Codes 1-999
represent successful outcomes (informative messages), 1000-1999
represent warnings, and codes 2000-2999 represent fatal errors. A
fatal Error TLV MUST be accompanied by a Result TLV indicating
failure and the conversation is terminated as described in
Section 3.6.3.
Many of the error codes below refer to errors in inner method
processing that may be retrieved if made available by the inner
method. Implementations MUST take care that error messages do not
reveal too much information to an attacker. For example, the usage
of error message 1031 (User account credentials incorrect) is NOT
RECOMMENDED, because it allows an attacker to determine valid
usernames by differentiating this response from other responses. It
should only be used for troubleshooting purposes.
The Error TLV is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Error-Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M
Mandatory, set to one (1)
R
Reserved, set to zero (0)
TLV Type
5 for Error TLV
Length
4
Error-Code
The Error-Code field is four octets. Currently defined values
for Error-Code include:
1 User account expires soon
2 User account credential expires soon
3 User account authorisations change soon
4 Clock skew detected
5 Contact administrator
6 User account credentials change required
1001 Inner Method Error
1002 Unspecified authentication infrastructure problem
1003 Unspecified authentication failure
1004 Unspecified authorisation failure
1005 User account credentials unavailable
1006 User account expired
1007 User account locked: try again later
1008 User account locked: admin intervention required
1009 Authentication infrastructure unavailable
1010 Authentication infrastructure not trusted
1011 Clock skew too great
1012 Invalid inner realm
1013 Token out of sync: administrator intervention
required
1014 Token out of sync: PIN change required
1015 Token revoked
1016 Tokens exhausted
1017 Challenge expired
1018 Challenge algorithm mismatch
1019 Client certificate not supplied
1020 Client certificate rejected
1021 Realm mismatch between inner and outer identity
1022 Unsupported Algorithm In Certificate Signing
Request
1023 Unsupported Extension In Certificate Signing
Request
1024 Bad Identity In Certificate Signing Request
1025 Bad Certificate Signing Request
1026 Internal CA Error
1027 General PKI Error
1028 Inner method's channel binding data required but
not supplied
1029 Inner method's channel binding data did not
include required information
1030 Inner method's channel binding failed
1031 User account credentials incorrect [USAGE NOT
RECOMMENDED]
2001 Tunnel Compromise Error
2002 Unexpected TLVs Exchanged
On Sep 10, 2013, at 9:44 AM, Joseph Salowey (jsalowey) <[email protected]>
wrote:
>
> On Sep 9, 2013, at 8:10 AM, Josh Howlett <[email protected]> wrote:
>
>>>>
>>>> - User account credentials incorrect
>>>> - User account credentials change required
>>>
>>> [Joe] I am concerned that these error messages reveal too much
>>> information to an attacker.
>>
>> I agree there are risks if used inappropriately, but nonetheless there are
>> reasonable uses for these (for example, switching it on temporarily when
>> debugging) as these are very common error conditions. I suggest that these
>> be optional to implement and use, and that we have security considerations
>> text that highlights the issue. Happy to propose some text.
>>
>
> [Joe] I'm not really in favor of including things in standards that should
> not be used. I am concerned that this could delay the document. If you
> provide some sample text and no-one objects then I will include this in the
> document.
>
>> Josh.
>>
>>
>>
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>> not-for-profit company which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>
>
> _______________________________________________
> Emu mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
