[Emu] Protected Result Indicators in EAP-TLS

Tue, 09 Feb 2021 02:01:06 -0800 

Below is my summary of the situation:

- It seems like there will be consensus to have protected result indicators in 
EAP-TLS 1.3.
- No one has objected to mandate Error alert on fatal error condition.
- Optional protected result indicators are different from mandatory result 
indicators,
  recent suggestion is that protected failure result indicators shall be 
mandatory.
- Success indicators and failure indicators need to be discuss together.

Below is my summary of the alternatives:

1. Use close_notify alert as protected success. Use other alerts as protected 
failure.

  To make it work I think EAP-TLS 1.3 needs to profile TLS 1.3 as:

  - Forbid close_notify except as success indication
  - Mandate Error alert before EAP-Failure
  - Forbid all use of user_cancelled

  Alternatively

  - Forbid close_notify except as success indication
  - Mandate Error alert or user_cancelled before EAP-Failure

2. Use application data for protected result indicators. Mandate alert (closure 
or error) before EAP-Failure.
        
        TLS people has stated that this might be reordered and that it is a 
layer violation.

        I think the worries can be overcome by writing things as requirements on
        the EAP-TLS layer, e.g.

        "After sending application data in a EAP-Request the EAP-TLS server 
MUST not send
      any more EAP-Request"

3. Success and failure indication on the EAP-TLS layer

   This was never discussed beyond that using an uprotected flag bit was not 
acceptable.

        Things at the EAP-TLS layer can quite easily be made protected.

        - Use one of the reserved bit in the EAP-TLS pakcet to indicate success.
        - Append TLS-Exporter("EXPORTER_EAP_TLS_SUCCESS_" + Type-Code, "", 16) 
to the packet

        - Use another of the reserved bit in the EAP-TLS pakcet to indicate 
failure.
        - Append TLS-Exporter("EXPORTER_EAP_TLS_FAILURE_" + Type-Code, "", 16) 
to the packet

        A solution at the EAP-TLS layers would not be dependant on profiling 
TLS 1.3

4. Success on EAP-TLS layer, Mandate alert (closure or error) before 
EAP-Failure.

5. Failure on EAP-TLS layer. Application data for success, 

I think 1. seems like the most complicated solution. It is also kind of ugly as 
it use an alert as indication for success. That said, I can live with any 
solution that are acceptable for implementors and TLS people.

Cheers,
John


_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu

Reply via email to