On Aug 21, 2023, at 10:40 AM, Heikki Vatiainen
wrote:
>
> draft-ietf-emu-rfc7170bis-08 added the following paragraph to section 7.4.1.
> "User Identity Protection and Verification":
> https://author-tools.ietf.org/iddiff?url1=draft-ietf-emu-rfc7170bis-07&url2=draft-ietf-emu-rfc7170bis-08&difftype=--html
>
> Note that the Phase 2 data could simply be a Result TLV with value Success,
> along with a Crypto-Binding TLV and Intermediate-Result TLV. This Phase 2
> data serves as a protected success indication as discussed in [RFC9190]
> Section 2.1.1
>
> My suggestion is to remove Intermediate-Result TLV from the above paragraph.
OK.
> First, section 3.5.5 "Protected Termination and Acknowledged Result
> Indication" currently says:
>
> A successful TEAP Phase 2 conversation MUST always end in a successful
> Crypto-Binding TLV and Result TLV exchange. A TEAP server may initiate the
> Crypto-Binding TLV and Result TLV exchange without initiating any EAP
> conversation in TEAP Phase 2.
> ...
> The Crypto-Binding TLV and Intermediate-Result TLV MUST be included to
> perform cryptographic binding after each successful authentication in a
> sequence of one or more inner methods.
>
> The first part of the above quote says that Crypto-Binding and Result TLVs
> are enough if there's no EAP conversation in phase 2. Based on the second
> part of the quote, because there's no inner method, logic says that
> Intermediate-Result TLV isn't needed.
>
> Finally, testing against eapol_test from wpa_supplicant shows that this works:
> Result-TLV (success)
> Cryptobinding-TLV
>
> where as this makes eapol_test trigger failure:
> Intermediate-Result TLV (success)
> Result-TLV (success)
> Cryptobinding-TLV
>
> To summarise. If the last paragraph of draft-12 section 7.4.1. "User Identity
> Protection and Verification" is updated, it would make the text more
> consistent with the other parts of the draft and allow EAP-TLS -like
> behaviour to work with eapol_test (wpa_supplicant).
That makes sense to me. I'll update it.
Alan DeKok.
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu