On 05.10.22 18:42, Eliot Lear wrote:
Hi everyone, Picking up on some TEAP work again.&TL;DR need clarity on how crypto-binding TLVs when there is no inner EAP method. Also note the use of request-action.Key questions: what value to pass for EMSK and MSK in crypto binding response when there is no inner method? Zeros?Also, can the flags indicate that there is no EMSK or MSK? This would solve our first problem.Finally, are we cool piggybacking Result and Crypto-binding on a PKCS#7 TLV?Flows follow: Use case 1:Device just wants to use TEAP in the same way one would use EAP-TLS. This would be what I would call "normal operations". That is, we would expect something along the following lines:,----. ,------. |Peer| |Server| `-+--' `--+---' | 1 EAP-Request/ | | Identity | | <--------------------- | | | 2 EAP-Response/ | | Type=Identity | | ---------------------> | | ,----------------------------!. |Section 3.2 |_\ `------------------------------' | 3 EAP-Request/ | | Type=TEAP, | | TEAP Start, | | Authority-ID TLV | | <--------------------- | | | 4 EAP-Response/ | | Type=TEAP, | | TLS(ClientHello) | | ---------------------> | | | 5 EAP-Request/ | | Type=TEAP, | | TLS(ServerHello, | | ServerKeyExchange, | | ServerHelloDone) | | <--------------------- | | | 6 EAP-Response/ | | Type=TEAP, | | ClientKeyExchange, | | CertificateVerify, | | ChangeCipherSpec, | | Finished) | | ---------------------> | | ,----------------------------!. |Section 3.3.3 |_\ `------------------------------' | 7 EAP-Request/ | | Type=TEAP, | | TLS(ChangeCipherSpec,| | Finished), | | Result TLV, | | Crypto-Binding TLV | | <--------------------- | | | 8 EAP-Response/ | | Type=TEAP, | | Result TLV, | | Crypto-Binding TLV | | ---------------------> | | | 9 EAP-Success | | <--------------------- ,-+--. ,--+---. |Peer| |Server| `----' `------'Note the lack of an Intermediate Result TLV, because the text states that Intermediate Results are only required upon completion of an inner EAP method.The second use case involves the use of PKCS#10/PKCS#7 messages. We think that looks like this:,----. ,------. ,--. |Peer| |Server| |CA| `-+--' `--+---' `+-' | EAP-Request/ | | | Identity | | | <-------------------------------------------------- | | | | | EAP-Response/ | | | Type=Identity | | | --------------------------------------------------> | | | | | EAP-Request/ | | | Type=TEAP, | | | TEAP Start, | | | Authority-ID TLV | | | <-------------------------------------------------- | | | | | EAP-Response/ | | | Type=TEAP, | | | TLS(ClientHello) | | | --------------------------------------------------> | | | | | EAP-Request/ | | | Type=TEAP, | | | TLS(ServerHello, | | | ServerKeyExchange, | | | ServerHelloDone) | | | <-------------------------------------------------- | | | | | EAP-Response/ | | | Type=TEAP, | | | ClientKeyExchange, | | | CertificateVerify, | | | ChangeCipherSpec, | | | Finished) | | | --------------------------------------------------> | | | | ,---------------------------------------------------------!. | |Section 4.2.9 |_\ | `-----------------------------------------------------------' | | EAP-Request/ | | | Type=TEAP, | | | TLS(ChangeCipherSpec, | | | Finished), | | | Request Action TLV(Status=Failure | | | ,Action=Process-TLV,TLV=PKCS#10) | | | <-------------------------------------------------- | | | | | EAP-Response/ | | | Type=TEAP | | | {PKCS#10 TLV} | | | --------------------------------------------------> | | | | ,---------------------------------------------------------!. | |Section 4.2.17 |_\ | `-----------------------------------------------------------' | | | PKCS#10 | | | --------------> | | | | | PKCS#7 | | | <-------------- | | | ,---------------------------------------------------------!. | |Section 4.2.16 |_\ | |Section 3.3.3 | | `-----------------------------------------------------------' | | EAP-Request/ | | | Type=TEAP, | | | {PKCS#7 TLV,Crypto-Binding TLV,Result TLV=Success}| | | <-------------------------------------------------- | | | | | Eap-Response/ | | | Type=TEAP | | | {Crypto-Binding TLV, | | | Result TLV=Success} | | | --------------------------------------------------> | | | | | EAP-Success | | | <-------------------------------------------------- | ,-+--. ,--+---. ,+-. |Peer| |Server| |CA| `----' `------' `--' Eliot _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
