Markdown Version | Recording 1 | Recording 2

Session Date/Time: 11 Jan 2023 17:00

EMU

Summary

The EMU Working Group met to discuss remaining errata for RFC 5770 and RFC 5775, as well as significant terminology clarifications proposed for RFC 5767. Key discussions centered on clarifying key derivation processes in 5770, including the implications of zero-key derivation for security, and consistent terminology in 5775. A major editorial change for 5767 regarding "inner method" definition was decided to be held for the full document revision. Extensive discussion also occurred regarding the EAP-FAST PAC TLV, with a general sense of non-implementation and a call for further mailing list discussion on its potential removal from the document.

Key Discussion Points

• RFC 5770 Errata (Key Derivation Clarity):

  • The current text has inconsistencies in sinck derivation, using imsk in one place and imskj elsewhere. The secret for the PRF is specified as emsk, but msk is also referenced without clear guidance on selection.
  • Proposed fixes include standardizing on imskj and clarifying the term "secret."
  • Additional text is proposed to describe the derivation of two complete sequences, one msk-derived and one emsk-derived, addressing implementation complexities.
  • Clarified that sinck is an intermediate value, and the ultimate imck output can be zero if a method does not produce an emsk or msk.
  • Discussion on the security implications of "all-zeros" derivation (e.g., for basic password authentication), acknowledging it provides no security value but simplifies implementation and ensures interoperability. This cannot be changed in an errata, only a revision.
  • Elliot suggested reiterating the broader definition of "inner method" (EAP authentication, TLVs, EAP or basic password, vendor-specific) in several places for clarity, as this relates to a previous erratum (RFC 5767).

• RFC 5775 Errata (CMK Definitions):

  • Noted the absence of a definition for cmk0 while cmkj is defined, and inconsistencies in references to cmk.
  • Proposed adding a definition for cmk0 and ensuring consistent terminology for cmk throughout the document. These changes are considered editorial, improving readability without altering technical meaning.

• RFC 5767 Errata ("Inner Method" Terminology):

  • Reviewed proposed changes to introduce and consistently use a new term, "inner method," encompassing "EAP authentication method, username/password, or vendor specific" methods performed within the tunnel.
  • The "EAP sequences" section would become an "EAP section" to allow discussion of mixing inner methods, and "EAP authentication" would become "inner EAP authentication method."
  • It was decided that these are substantial editorial changes best reserved for the upcoming document revision rather than being published as a standalone erratum.

• EAP-MSCHAPv2 Handling:

  • The document now includes a dedicated section clarifying that EAP-MSCHAPv2 should use the EAP-FAST MSCHAP variant, detailing the specific swapping of 260-octet fields.

• RFC 5128 (PRF Function Signature):

  • A discussion about clarifying PRF function signatures, particularly regarding output lengths and consistency with TLS definitions, led to the closure of an associated issue due to a lack of broader interest.

• EAP-FAST PAC TLV Implementation Status:

  • There was extensive discussion regarding the apparent lack of implementation and deployment of the PAC TLV in EAP-FAST. Cisco has not implemented it, nor is there a known Windows implementation. While WPA supplicant may have implemented it, it is unclear if it's widely used or interoperable in practice due to past issues with EAP-MSCHAPv2.
  • A rough sense of those present indicates that the PAC TLV might be irrelevant due to non-implementation, leading to a discussion about whether to remove it from the document. Concerns were raised about potential interoperability issues if it were removed, particularly regarding out-of-band provisioning use cases, although these were deemed impractical.

• PAC and Session ID Based Resumption:

  • The ambiguity of deriving PAC from TLVs versus a TLS new session ticket was discussed. It was suggested that EAP-related derivation should be from TLVs, and TLS-related from TLS mechanisms, with new session tickets generally for one-time fast resumption.

• PKCS7/PKCS10:

  • An open issue regarding PKCS7/PKCS10 was briefly noted. The chairs indicated that this is not a current priority for the working group, and input from implementers would be beneficial for its resolution.

Decisions and Action Items

• Decision: For RFC 5770 errata, the text will be updated to clarify sinck and imck derivation, resolve imsk/imskj inconsistencies, and explicitly state that using all zeros for key derivation provides no security value, serving only for implementation consistency.
  • Action Item: Alan to push the proposed fixes for RFC 5770 errata this afternoon.
  • Action Item: Joe to review Alan's concrete text proposal for RFC 5770.
  • Action Item: Alan and Joe to ensure the RFC 7170 revision text aligns closely with these errata clarifications, including the explanation regarding zero-key derivation.
• Decision: For RFC 5775 errata, text will be added to define cmk0, and terminology for cmk references will be made consistent.
  • Action Item: Alan to incorporate the cmk0 definition and consistent cmk terminology into the RFC 5775 errata.
• Decision: The significant terminology changes proposed for RFC 5767 (e.g., "inner method") will be incorporated into the upcoming full document revision, not published as a standalone erratum.
  • Action Item: Alan to make notes for these updates for the revision.
• Decision: The issue related to RFC 5128 (PRF function signature) has been closed due to a lack of broader working group interest.
• Action Item: The working group chairs will initiate a mailing list discussion to gather further feedback and decide on the potential removal of the EAP-FAST PAC TLV section from the document.

Next Steps

• Alan will complete the identified text updates for RFC 5770 and RFC 5775 errata.
• The mailing list discussion regarding the EAP-FAST PAC TLV will proceed to determine its fate in the document.
• Input from implementers for the PKCS7 issue would be beneficial.
• Once critical technical issues are resolved, the document is expected to proceed to a Working Group Last Call for comprehensive review.
• The interim meeting scheduled for next Wednesday will remain on the calendar, but the chairs will notify the list if it is canceled due to a lack of pressing agenda items.
• Working group members are encouraged to post any remaining issues on GitHub or propose Pull Requests for the document.
• Suggested errata resolutions will continue to be posted to the list for alignment with the revision and eventual submission to the AD for earlier publication.
• The working group anticipates being able to resolve any remaining issues and potentially advance the document to the IESG around the time of the Yokohama meeting.

Session Date/Time: 11 Jan 2023 17:00

EMU

Summary

The EMU Working Group met to discuss remaining errata for RFC 5770 and RFC 5775, as well as significant terminology clarifications proposed for RFC 5767. Key discussions centered on clarifying key derivation processes in 5770, including the implications of zero-key derivation for security, and consistent terminology in 5775. A major editorial change for 5767 regarding "inner method" definition was decided to be held for the full document revision. Extensive discussion also occurred regarding the EAP-FAST PAC TLV, with a general sense of non-implementation and a call for further mailing list discussion on its potential removal from the document.

Key Discussion Points

• RFC 5770 Errata (Key Derivation Clarity):

  • The current text has inconsistencies in sinck derivation, using imsk in one place and imskj elsewhere. The secret for the PRF is specified as emsk, but msk is also referenced without clear guidance on selection.
  • Proposed fixes include standardizing on imskj and clarifying the term "secret."
  • Additional text is proposed to describe the derivation of two complete sequences, one msk-derived and one emsk-derived, addressing implementation complexities.
  • Clarified that sinck is an intermediate value, and the ultimate imck output can be zero if a method does not produce an emsk or msk.
  • Discussion on the security implications of "all-zeros" derivation (e.g., for basic password authentication), acknowledging it provides no security value but simplifies implementation and ensures interoperability. This cannot be changed in an errata, only a revision.
  • Elliot suggested reiterating the broader definition of "inner method" (EAP authentication, TLVs, EAP or basic password, vendor-specific) in several places for clarity, as this relates to a previous erratum (RFC 5767).

• RFC 5775 Errata (CMK Definitions):

  • Noted the absence of a definition for cmk0 while cmkj is defined, and inconsistencies in references to cmk.
  • Proposed adding a definition for cmk0 and ensuring consistent terminology for cmk throughout the document. These changes are considered editorial, improving readability without altering technical meaning.

• RFC 5767 Errata ("Inner Method" Terminology):

  • Reviewed proposed changes to introduce and consistently use a new term, "inner method," encompassing "EAP authentication method, username/password, or vendor specific" methods performed within the tunnel.
  • The "EAP sequences" section would become an "EAP section" to allow discussion of mixing inner methods, and "EAP authentication" would become "inner EAP authentication method."
  • It was decided that these are substantial editorial changes best reserved for the upcoming document revision rather than being published as a standalone erratum.

• EAP-MSCHAPv2 Handling:

  • The document now includes a dedicated section clarifying that EAP-MSCHAPv2 should use the EAP-FAST MSCHAP variant, detailing the specific swapping of 260-octet fields.

• RFC 5128 (PRF Function Signature):

  • A discussion about clarifying PRF function signatures, particularly regarding output lengths and consistency with TLS definitions, led to the closure of an associated issue due to a lack of broader interest.

• EAP-FAST PAC TLV Implementation Status:

  • There was extensive discussion regarding the apparent lack of implementation and deployment of the PAC TLV in EAP-FAST. Cisco has not implemented it, nor is there a known Windows implementation. While WPA supplicant may have implemented it, it is unclear if it's widely used or interoperable in practice due to past issues with EAP-MSCHAPv2.
  • A rough sense of those present indicates that the PAC TLV might be irrelevant due to non-implementation, leading to a discussion about whether to remove it from the document. Concerns were raised about potential interoperability issues if it were removed, particularly regarding out-of-band provisioning use cases, although these were deemed impractical.

• PAC and Session ID Based Resumption:

  • The ambiguity of deriving PAC from TLVs versus a TLS new session ticket was discussed. It was suggested that EAP-related derivation should be from TLVs, and TLS-related from TLS mechanisms, with new session tickets generally for one-time fast resumption.

• PKCS7/PKCS10:

  • An open issue regarding PKCS7/PKCS10 was briefly noted. The chairs indicated that this is not a current priority for the working group, and input from implementers would be beneficial for its resolution.

Decisions and Action Items

• Decision: For RFC 5770 errata, the text will be updated to clarify sinck and imck derivation, resolve imsk/imskj inconsistencies, and explicitly state that using all zeros for key derivation provides no security value, serving only for implementation consistency.
  • Action Item: Alan to push the proposed fixes for RFC 5770 errata this afternoon.
  • Action Item: Joe to review Alan's concrete text proposal for RFC 5770.
  • Action Item: Alan and Joe to ensure the RFC 7170 revision text aligns closely with these errata clarifications, including the explanation regarding zero-key derivation.
• Decision: For RFC 5775 errata, text will be added to define cmk0, and terminology for cmk references will be made consistent.
  • Action Item: Alan to incorporate the cmk0 definition and consistent cmk terminology into the RFC 5775 errata.
• Decision: The significant terminology changes proposed for RFC 5767 (e.g., "inner method") will be incorporated into the upcoming full document revision, not published as a standalone erratum.
  • Action Item: Alan to make notes for these updates for the revision.
• Decision: The issue related to RFC 5128 (PRF function signature) has been closed due to a lack of broader working group interest.
• Action Item: The working group chairs will initiate a mailing list discussion to gather further feedback and decide on the potential removal of the EAP-FAST PAC TLV section from the document.

Next Steps

• Alan will complete the identified text updates for RFC 5770 and RFC 5775 errata.
• The mailing list discussion regarding the EAP-FAST PAC TLV will proceed to determine its fate in the document.
• Input from implementers for the PKCS7 issue would be beneficial.
• Once critical technical issues are resolved, the document is expected to proceed to a Working Group Last Call for comprehensive review.
• The interim meeting scheduled for next Wednesday will remain on the calendar, but the chairs will notify the list if it is canceled due to a lack of pressing agenda items.
• Working group members are encouraged to post any remaining issues on GitHub or propose Pull Requests for the document.
• Suggested errata resolutions will continue to be posted to the list for alignment with the revision and eventual submission to the AD for earlier publication.
• The working group anticipates being able to resolve any remaining issues and potentially advance the document to the IESG around the time of the Yokohama meeting.