Looks good to me -- thanks for accommodating this. Josh.
On 30/09/2013 00:41, "Joseph Salowey (jsalowey)" <jsalo...@cisco.com> wrote: >Below is the text for the Error TLV. This should have the error >messages we discussed. I also move the CSR related error messages to >warnings. > >Cheers, > >Joe > >4.2.6. Error TLV > > The Error TLV allows an EAP peer or server to indicate errors to the > other party. A TEAP packet can contain 0 or more Error TLVs. The > Error-Code field describes the type of error. Error Codes 1-999 > represent successful outcomes (informative messages), 1000-1999 > represent warnings, and codes 2000-2999 represent fatal errors. A > fatal Error TLV MUST be accompanied by a Result TLV indicating > failure and the conversation is terminated as described in > Section 3.6.3. > > Many of the error codes below refer to errors in inner method > processing that may be retrieved if made available by the inner > method. Implementations MUST take care that error messages do not > reveal too much information to an attacker. For example, the usage > of error message 1031 (User account credentials incorrect) is NOT > RECOMMENDED, because it allows an attacker to determine valid > usernames by differentiating this response from other responses. It > should only be used for troubleshooting purposes. > > The Error TLV is defined as follows: > > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |M|R| TLV Type | Length | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Error-Code | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > > M > > Mandatory, set to one (1) > > > R > > Reserved, set to zero (0) > > > TLV Type > > 5 for Error TLV > > > Length > > 4 > > > Error-Code > > The Error-Code field is four octets. Currently defined values > for Error-Code include: > > > 1 User account expires soon > > 2 User account credential expires soon > > 3 User account authorisations change soon > > 4 Clock skew detected > > 5 Contact administrator > > 6 User account credentials change required > > 1001 Inner Method Error > > 1002 Unspecified authentication infrastructure problem > > 1003 Unspecified authentication failure > > 1004 Unspecified authorisation failure > > 1005 User account credentials unavailable > > 1006 User account expired > > 1007 User account locked: try again later > > 1008 User account locked: admin intervention required > > 1009 Authentication infrastructure unavailable > > 1010 Authentication infrastructure not trusted > > 1011 Clock skew too great > > 1012 Invalid inner realm > > 1013 Token out of sync: administrator intervention > required > > 1014 Token out of sync: PIN change required > > 1015 Token revoked > > 1016 Tokens exhausted > > 1017 Challenge expired > > 1018 Challenge algorithm mismatch > > 1019 Client certificate not supplied > > 1020 Client certificate rejected > > 1021 Realm mismatch between inner and outer identity > > 1022 Unsupported Algorithm In Certificate Signing > Request > > 1023 Unsupported Extension In Certificate Signing > Request > > 1024 Bad Identity In Certificate Signing Request > > 1025 Bad Certificate Signing Request > > 1026 Internal CA Error > > 1027 General PKI Error > > 1028 Inner method's channel binding data required but > not supplied > > 1029 Inner method's channel binding data did not > include required information > > 1030 Inner method's channel binding failed > > 1031 User account credentials incorrect [USAGE NOT > RECOMMENDED] > > 2001 Tunnel Compromise Error > > 2002 Unexpected TLVs Exchanged > > > >On Sep 10, 2013, at 9:44 AM, Joseph Salowey (jsalowey) ><jsalo...@cisco.com> wrote: > >> >> On Sep 9, 2013, at 8:10 AM, Josh Howlett <josh.howl...@ja.net> wrote: >> >>>>> >>>>> - User account credentials incorrect >>>>> - User account credentials change required >>>> >>>> [Joe] I am concerned that these error messages reveal too much >>>> information to an attacker. >>> >>> I agree there are risks if used inappropriately, but nonetheless there >>>are >>> reasonable uses for these (for example, switching it on temporarily >>>when >>> debugging) as these are very common error conditions. I suggest that >>>these >>> be optional to implement and use, and that we have security >>>considerations >>> text that highlights the issue. Happy to propose some text. >>> >> >> [Joe] I'm not really in favor of including things in standards that >>should not be used. I am concerned that this could delay the document. >>If you provide some sample text and no-one objects then I will include >>this in the document. >> >>> Josh. >>> >>> >>> >>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a >>> not-for-profit company which is registered in England under No. >>>2881024 >>> and whose Registered Office is at Lumen House, Library Avenue, >>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 >>> >> >> _______________________________________________ >> Emu mailing list >> Emu@ietf.org >> https://www.ietf.org/mailman/listinfo/emu > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
