On Sat, 19 Aug 2023 at 00:26, Michael Richardson <mcr+i...@sandelman.ca> wrote:
> Heikki Vatiainen <h...@radiatorsoftware.com> wrote: > > Should it be noted that this provisioning method is only available with > > TLS 1.2 and earlier because the method requires anonymous ciphersuites? > > It confirms to the reader that this is the intended case. > > If we are talking about an RFC8995 (BRSKI) mechanism then: > > a) It requires that the Peer defer validation of the Server's certificate > until later on when another signed artifact is received (RFC8366 voucher). > b) The server still validates the Peers' client (IDevID) certificate. > > We don't need or want anonymous ciphersuites here. I had the impression that Server Unauthenticated provisioning requires anonymous ciphersuites. I now see that this is incorrect. TLS 1.2 RFC has the following text: [near the list of anonymous ciphersuites] https://www.rfc-editor.org/rfc/rfc5246#appendix-A.5 Note that using non-anonymous key exchange without actually verifying the key exchange is essentially equivalent to anonymous key exchange, and the same precautions apply. A closer look at the current draft shows that the first paragraph in "Server Unauthenticated Provisioning Mode" section already includes text that kind of matches what the RFC 5246 quote above says: https://www.ietf.org/archive/id/draft-ietf-emu-rfc7170bis-12.html#section-3.10.3 This includes both cases in which the ciphersuite negotiated does not provide authentication and in which the ciphersuite negotiated provides the authentication but the peer is unable to validate the identity of the server for some reason. RFC 5422 "Dynamic Provisioning Using EAP-FAST" requires an anonymous ciphersuite for Server-Unauthenticated Provisioning Mode. This is the reason I thought the same requirement applies for TEAP's Server Unauthenticated provisioning mode too. https://www.rfc-editor.org/rfc/rfc5422.html#section-2 To summarise how I understand this now: In order to choose Server Unauthenticated Provisioning Mode, all TLS versions can skip server certificate validation. In addition to this option, TLS 1.2 and earlier can also make the mode selection clear by using an anonymous ciphersuite. -- Heikki Vatiainen h...@radiatorsoftware.com _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
