Markdown Version | Recording 1 | Recording 2

Session Date/Time: 04 Jan 2023 17:00

EMU

Summary

The EMU Working Group held an interim meeting to systematically review open errata for RFC 7170 (TEEP Protocol Specification) and the related 7170bis document. The primary objective was to discuss proposed resolutions, identify areas requiring further clarification or modification, and determine which changes could be processed via the errata system versus requiring direct updates to the 7170bis draft. Key discussions centered on clarifying inner authentication mechanisms, handling MAC truncation for TLS 1.3, and the derivation of the Inner Master Session Key (IMK) for basic password authentication. Several errata were addressed with proposed resolutions, while a few complex issues were tabled or marked for further deliberation.

Key Discussion Points

• Errata Review Process: Alan took attendees through a structured review of open errata, cross-referencing proposed fixes in the 7170bis git repository commits. The aim was to achieve a sense of the room regarding the proposed resolutions.
• Errata 5765 (Authority Field Optional): This was deemed straightforward, clarifying the Authority Field as optional.
• Errata 56157 (Status Field Octet Count): Verified as one octet, changes reflected in commits.
• Errata 5127 (Byte Representation): Discussed the correct hexadecimal byte representation (0x40 instead of 0x04) for certain parameters, with a note for Alan to fix.
• Errata 5128 (Concatenation vs. Commas): Similar to 5127, concerning concatenation rather than commas in byte sequences. Alan to double-check against implementations.
• Errata 5767 (Intermediate Results and EAP Terminology):
  • Clarified that intermediate results must be sent after every inner authentication method.
  • Discussion arose on standardizing terminology (e.g., "EAP method" vs. "EAP authentication method") and potentially refactoring text for inner authentication. A sense of those present indicated against a major restructure, favoring minimal changes to clarify "EAP authentication method" and the ability to mix/match inner authentication types.
  • Oleg suggested using a single consistent term for "inner EAP method," "inner method," and "inner authentication."
• Errata 5768 (MAC Truncation for TLS 1.3):
  • The current RFC 7170 specifies a 20-octet inner MAC, which conflicts with variable MAC sizes in TLS 1.3.
  • Existing implementations (e.g., Host AP, Windows 10) truncate MACs to 20 octets, only supporting TLS 1.2.
  • Concern was raised by Elliot and John that truncating TLS 1.3 MACs could weaken security and would likely face scrutiny from the Security Area Directors.
  • Potential options included: revising TEEP to support variable MAC sizes, explicitly defining truncation for TLS 1.2 and variable sizes for TLS 1.3 (as TLS 1.3 for TEEP is not yet implemented), or accepting current truncation until a protocol revision.
  • Hickey (via Alan) also brought up the potential utility of EAP notifications for user feedback, which would be new functionality.
• Errata 5770 (Complex Textual Changes): This errata was deemed highly complex with "a lot of text" and no current resolution in the 7170bis document. It was tabled for future discussion.
• Errata 5775 (IMK for Basic Password Authentication):
  • Discussion on using zero as the value for the IMK when the inner method is basic password, as proposed in Joe's TEEP Errata repository and implemented in some current work (e.g., Yoni's text for PKCS#7/10 requests).
  • Elliot raised concerns about the cryptographic soundness of this approach, especially when the EAP server is not the Certificate Authority (CA) or Registration Authority (RA), complicating crypto binding with TLS secret information (e.g., in EST deployments).
  • Joe acknowledged the need to review the PKCS#10 TLV text to improve interoperability and noted that inner method binding issues might be separable.
• Errata 5884 (Diagram Updates): Agreed that diagrams need updating to explicitly show the intermediate result TLV (success/failure) after every inner authentication, aligning with textual clarifications.
• Errata 5885 (Duplicate Intermediate Result): Clarified that the intermediate result TLV is set after every inner authentication, mirroring earlier errata discussions.
• Errata 5886 (Crypto Binding and Result TLV): Discussed the order of crypto binding checks relative to the result TLV. A sense of the room indicated that crypto binding should be sent with intermediate and result TLVs, and checked before the result TLV, but not needed if authentication fails.
• Errata 7529 (EAP-FAST MSCHAP Clarification): A modest textual change clarifying that if MSCHAP is not used, it defaults to EAP-FAST MSCHAP. This was identified as a significant interoperability issue.

Decisions and Action Items

• Decision: For Errata 5767, intermediate results MUST be sent after every inner authentication, and clarifying "EAP method" to "EAP authentication method" is preferred over a major document restructure.
• Decision: For Errata 5775, the initial inner IMK for basic password authentication should be specified as zero, pending further discussion on its cryptographic implications and interaction with PKCS#10 TLVs in complex deployment scenarios.
• Decision: Errata 5770 is tabled for discussion at a future meeting due to its complexity.
• Action Item (Alan): Update the text for Errata 5127 to reflect the correct hexadecimal byte (0x40).
• Action Item (Alan): Verify and update text related to Errata 5128 concerning byte sequence concatenation, checking against existing implementations.
• Action Item (Alan): Consider applying Oleg's suggestion to standardize on a single term for "inner EAP method," "inner method," and "inner authentication" throughout the document.
• Action Item (Joe): Begin preparing proposed errata text for simpler changes identified in Alan's 7170bis modifications that are suitable for submission via the errata system. Complex changes requiring broader document modification will be handled as direct updates to 7170bis (held for update).

Next Steps

• The Working Group will hold another interim meeting next week to continue reviewing any remaining open errata and unresolved issues, specifically Errata 5770, and to delve deeper into the implications of MAC truncation for TLS 1.3 (Errata 5768) and the cryptographic binding for basic password / PKCS#10 TLVs (Errata 5775).
• Joe will circulate proposed errata text for simpler changes identified during this review.
• Additional interim meetings will be scheduled as needed to finalize the errata review and progress the 7170bis document.

Session Date/Time: 04 Jan 2023 17:00

EMU

Summary

The EMU Working Group held an interim meeting to systematically review open errata for RFC 7170 (TEEP Protocol Specification) and the related 7170bis document. The primary objective was to discuss proposed resolutions, identify areas requiring further clarification or modification, and determine which changes could be processed via the errata system versus requiring direct updates to the 7170bis draft. Key discussions centered on clarifying inner authentication mechanisms, handling MAC truncation for TLS 1.3, and the derivation of the Inner Master Session Key (IMK) for basic password authentication. Several errata were addressed with proposed resolutions, while a few complex issues were tabled or marked for further deliberation.

Key Discussion Points

• Errata Review Process: Alan took attendees through a structured review of open errata, cross-referencing proposed fixes in the 7170bis git repository commits. The aim was to achieve a sense of the room regarding the proposed resolutions.
• Errata 5765 (Authority Field Optional): This was deemed straightforward, clarifying the Authority Field as optional.
• Errata 56157 (Status Field Octet Count): Verified as one octet, changes reflected in commits.
• Errata 5127 (Byte Representation): Discussed the correct hexadecimal byte representation (0x40 instead of 0x04) for certain parameters, with a note for Alan to fix.
• Errata 5128 (Concatenation vs. Commas): Similar to 5127, concerning concatenation rather than commas in byte sequences. Alan to double-check against implementations.
• Errata 5767 (Intermediate Results and EAP Terminology):
  • Clarified that intermediate results must be sent after every inner authentication method.
  • Discussion arose on standardizing terminology (e.g., "EAP method" vs. "EAP authentication method") and potentially refactoring text for inner authentication. A sense of those present indicated against a major restructure, favoring minimal changes to clarify "EAP authentication method" and the ability to mix/match inner authentication types.
  • Oleg suggested using a single consistent term for "inner EAP method," "inner method," and "inner authentication."
• Errata 5768 (MAC Truncation for TLS 1.3):
  • The current RFC 7170 specifies a 20-octet inner MAC, which conflicts with variable MAC sizes in TLS 1.3.
  • Existing implementations (e.g., Host AP, Windows 10) truncate MACs to 20 octets, only supporting TLS 1.2.
  • Concern was raised by Elliot and John that truncating TLS 1.3 MACs could weaken security and would likely face scrutiny from the Security Area Directors.
  • Potential options included: revising TEEP to support variable MAC sizes, explicitly defining truncation for TLS 1.2 and variable sizes for TLS 1.3 (as TLS 1.3 for TEEP is not yet implemented), or accepting current truncation until a protocol revision.
  • Hickey (via Alan) also brought up the potential utility of EAP notifications for user feedback, which would be new functionality.
• Errata 5770 (Complex Textual Changes): This errata was deemed highly complex with "a lot of text" and no current resolution in the 7170bis document. It was tabled for future discussion.
• Errata 5775 (IMK for Basic Password Authentication):
  • Discussion on using zero as the value for the IMK when the inner method is basic password, as proposed in Joe's TEEP Errata repository and implemented in some current work (e.g., Yoni's text for PKCS#7/10 requests).
  • Elliot raised concerns about the cryptographic soundness of this approach, especially when the EAP server is not the Certificate Authority (CA) or Registration Authority (RA), complicating crypto binding with TLS secret information (e.g., in EST deployments).
  • Joe acknowledged the need to review the PKCS#10 TLV text to improve interoperability and noted that inner method binding issues might be separable.
• Errata 5884 (Diagram Updates): Agreed that diagrams need updating to explicitly show the intermediate result TLV (success/failure) after every inner authentication, aligning with textual clarifications.
• Errata 5885 (Duplicate Intermediate Result): Clarified that the intermediate result TLV is set after every inner authentication, mirroring earlier errata discussions.
• Errata 5886 (Crypto Binding and Result TLV): Discussed the order of crypto binding checks relative to the result TLV. A sense of the room indicated that crypto binding should be sent with intermediate and result TLVs, and checked before the result TLV, but not needed if authentication fails.
• Errata 7529 (EAP-FAST MSCHAP Clarification): A modest textual change clarifying that if MSCHAP is not used, it defaults to EAP-FAST MSCHAP. This was identified as a significant interoperability issue.

Decisions and Action Items

• Decision: For Errata 5767, intermediate results MUST be sent after every inner authentication, and clarifying "EAP method" to "EAP authentication method" is preferred over a major document restructure.
• Decision: For Errata 5775, the initial inner IMK for basic password authentication should be specified as zero, pending further discussion on its cryptographic implications and interaction with PKCS#10 TLVs in complex deployment scenarios.
• Decision: Errata 5770 is tabled for discussion at a future meeting due to its complexity.
• Action Item (Alan): Update the text for Errata 5127 to reflect the correct hexadecimal byte (0x40).
• Action Item (Alan): Verify and update text related to Errata 5128 concerning byte sequence concatenation, checking against existing implementations.
• Action Item (Alan): Consider applying Oleg's suggestion to standardize on a single term for "inner EAP method," "inner method," and "inner authentication" throughout the document.
• Action Item (Joe): Begin preparing proposed errata text for simpler changes identified in Alan's 7170bis modifications that are suitable for submission via the errata system. Complex changes requiring broader document modification will be handled as direct updates to 7170bis (held for update).

Next Steps

• The Working Group will hold another interim meeting next week to continue reviewing any remaining open errata and unresolved issues, specifically Errata 5770, and to delve deeper into the implications of MAC truncation for TLS 1.3 (Errata 5768) and the cryptographic binding for basic password / PKCS#10 TLVs (Errata 5775).
• Joe will circulate proposed errata text for simpler changes identified during this review.
• Additional interim meetings will be scheduled as needed to finalize the errata review and progress the 7170bis document.