Re: [Emu] TLS1.3 and TEAP (RE: POST WGLC Comments draft-ietf-emu-eap-tls13)
> Since it looks like TEAP hasn't actually been implemented much, it's probably > best to move the TLS 1.3 fixes into a general "oops, we need to fix TEAP" > document. I can understand the reasoning here, but it's my opinion that we should default to including TEAP changes for TLS1.3 in draft-dekok-emu-tls-eap-types. If the changes become lengthy or complex then I would understand moving them to a different document. But it's my belief that the currently proposed updates in draft-dekok-emu-tls-eap-types are sufficient. Are there further TEAP specific changes that are thought to be needed? The latest Windows insider builds contain a TEAP implementation if you would like to play with another supplicant implementation. -Original Message- From: Emu On Behalf Of Alan DeKok Sent: Thursday, November 7, 2019 9:50 AM To: Owen Friel (ofriel) Cc: draft-ietf-emu-eap-tl...@ietf.org; EMU WG ; John Mattsson ; Michael Richardson Subject: Re: [Emu] TLS1.3 and TEAP (RE: POST WGLC Comments draft-ietf-emu-eap-tls13) On Nov 7, 2019, at 12:30 PM, Owen Friel (ofriel) wrote: > > > [ofriel] Question to the WG: should the TEAP changes for TLS1.3 be included > in draft-dekok-emu-tls-eap-types? If they're minor, it may be OK. > Or in draft-lear-eap-teap-brski - and note that the title is changed to " > TEAP Update and Extensions for Bootstrapping "? Or potentially both? Eliot, > Nancy and I had planned on adding TLS1.3 updates to > draft-lear-eap-teap-brski, but haven't got it done yet. Since it looks like TEAP hasn't actually been implemented much, it's probably best to move the TLS 1.3 fixes into a general "oops, we need to fix TEAP" document. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femudata=02%7C01%7Cjovergar%40microsoft.com%7Cff6d16a2debe42fe552608d763aade1d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637087458127841459sdata=uNLeQQn%2BPI2BAi1FweVNdKNG9MhBzxIu8oozlp%2F774s%3Dreserved=0 ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
Re: [Emu] TLS1.3 and TEAP (RE: POST WGLC Comments draft-ietf-emu-eap-tls13)
On Nov 7, 2019, at 12:30 PM, Owen Friel (ofriel) wrote: > > > [ofriel] Question to the WG: should the TEAP changes for TLS1.3 be included > in draft-dekok-emu-tls-eap-types? If they're minor, it may be OK. > Or in draft-lear-eap-teap-brski - and note that the title is changed to " > TEAP Update and Extensions for Bootstrapping "? Or potentially both? Eliot, > Nancy and I had planned on adding TLS1.3 updates to > draft-lear-eap-teap-brski, but haven't got it done yet. Since it looks like TEAP hasn't actually been implemented much, it's probably best to move the TLS 1.3 fixes into a general "oops, we need to fix TEAP" document. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
[Emu] TLS1.3 and TEAP (RE: POST WGLC Comments draft-ietf-emu-eap-tls13)
> -Original Message- > From: Emu On Behalf Of Alan DeKok > Sent: 01 November 2019 11:08 > To: John Mattsson > Cc: draft-ietf-emu-eap-tl...@ietf.org; Michael Richardson > ; John Mattsson > ; EMU WG > Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13 > > On Nov 1, 2019, at 6:15 AM, John Mattsson > wrote: > > I strongly support working group adoption of draft-dekok-emu-tls-eap-types. > Can we make sure to get this document going, I agree that this is a very > needed > draft. I think it should include updates for everything people wants to use. > I do > not think draft-ietf-emu-eap-tls13 strictly have to wait for > draft-dekok-emu-tls- > eap-types, but draft-dekok-emu-tls-eap-types should be published shortly > after. > > I will do an update to my document shortly. [ofriel] Question to the WG: should the TEAP changes for TLS1.3 be included in draft-dekok-emu-tls-eap-types? Or in draft-lear-eap-teap-brski - and note that the title is changed to " TEAP Update and Extensions for Bootstrapping "? Or potentially both? Eliot, Nancy and I had planned on adding TLS1.3 updates to draft-lear-eap-teap-brski, but haven't got it done yet. > > I also added an issue with the EAP-TLS document on GitHub. The suggestion > is > to add text which explains how (and why) the EAP Identity is chosen during > resumption: > > --- > The EAP Identity used in resumption SHOULD be the same EAP Identity as was > used during the original authentication. This requirement allows EAP packets > to > be routable through an AAA infrastructure to the same destination as the > original authentication. > > The alternative is to derive the EAP Identity from the identity used inside > of TLS. > This derivation is common practice when using certificates, and works because > the "common name" field in the certificate is typically compatible with EAP, > and > it contains a routable identifier such as an email address. This practice > cannot be > used for resumption, as the PSK identity may be a binary blob, and it might > not > contain a routable realm as suggested by RFC 7542. > > In some cases, the PSK identity is derived by the underlying TLS > implementation, > and cannot be controlled by the EAP authenticator. These limitations make the > PSK identity unsuitable for use as the EAP Identity. > --- > > Alan DeKok. > > ___ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
