[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.

To: "Joseph Salowey \(jsalowey\)" <jsalowey@xxxxxxxxx>, "Jan Nordqvist" <jnordqvist@xxxxxxxxxxxxxxxxxx>, <tls@xxxxxxxx>
Subject: RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
From: "Joseph Salowey \(jsalowey\)" <jsalowey@xxxxxxxxx>
Date: Thu, 21 Jun 2007 09:47:07 -0700
Authentication-results: sj-dkim-4; header.From=jsalowey@xxxxxxxxx; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc:
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2957; t=1182444424; x=1183308424; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@xxxxxxxxx; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@xxxxxxxxx> |Subject:=20RE=3A=20[TLS]=20Stateless=20TLS=20Session=20Resumption=20exte nsion=20and=20EAP-FAST. |Sender:=20; bh=vlSpvlg271vM63qu4WQqkXEbrUowboorYeg1cUepKI0=; b=D3RJmr+df/sK3LUT1Xm2esde3cquASp7oHFmHTlwzJf9DcngPO9F4cCezXaA0vNBWDl5nUJ9 WQlQZAX5dez0D2cGWr/wb+G8QJpFmIuco4RpLdBFG1RhmXJFvbamwD9z;
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE5035D58F1@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Thread-index: AcdcO18dYchwt6jARjGQj1RE7JzOdgDN6srAFSwQT8A=
Thread-topic: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.

We have submitted a draft for an RFC4507bis to correct this problem.  It
can be found at 

http://www.ietf.org/internet-drafts/draft-salowey-tls-rfc4507bis-00.txt

Please take this opportunity to review the draft correction as we would
like to submit the draft for publication soon.

Thanks,

Joe

> -----Original Message-----
> From: Joseph Salowey (jsalowey) 
> Sent: Monday, March 05, 2007 2:18 PM
> To: Jan Nordqvist; tls@xxxxxxxx
> Subject: RE: [TLS] Stateless TLS Session Resumption extension 
> and EAP-FAST.
> 
> Hi Jan,
> 
> You are correct, there is an issue with current 
> implementation.  Thanks for pointing this out.  Details follow:
> 
> Current EAP-FAST implementations do not format the extension 
> correctly as to spec.  They leave out one of the length fields.
> 
> EAP-FAST implementation:
> 
>       struct {
>   	   uint16 extensionType 	
>  	   opaque ticket<0..2^16-1>
>       } SessionTicketExtension
> 
> Example encoding: 00 23 LL LL TT TT TT ...
> 
> LL - ticket length
> TT - ticket
> 
> RFC4507:
> 
> >     struct {
> >        opaque ticket<0..2^16-1>;
> >     } SessionTicket;
> >
> >    struct {
> >  	   uint16 extensionType 	
> > 	   opaque SessionTicket<0..2^16-1>
> >    } SessionTicketExtension
> >
> 
> Example encoding: 00 23 LN LN LL LL TT TT TT....
> 
> LN - length of ticket + 2-bytes
> 
> Joe 
> 
> > -----Original Message-----
> > From: Jan Nordqvist [mailto:jnordqvist@xxxxxxxxxxxxxxxxxx]
> > Sent: Thursday, March 01, 2007 11:52 AM
> > To: tls@xxxxxxxx
> > Subject: [TLS] Stateless TLS Session Resumption extension and 
> > EAP-FAST.
> > 
> > I apologize if this gets duplicated, I had the wrong address
> > registered:
> > 
> > During some recent work incorporating EAP-FAST support into our TLS 
> > stack I have discovered that the devices we use for testing are 
> > violating the format of the stateless session ticket extension 
> > definition per RFC-4507. In all instances I have seen, the whole 
> > SessionTicket is preceded by a two-byte 'type' field, i.e. the 
> > definition is really
> > 
> > struct {
> >     uint16 type;
> >     opaque ticket<0..2^16-1>;
> > } SessionTicket;
> > 
> > I don't know the size of deployments of EAP-FAST devices 
> versus other 
> > implementations using the session ticket extension, but it 
> seems that 
> > either RFC-4507 needs to be updated to reflect what is actually 
> > implemented or perhaps the extension should be split into two.
> > 
> > Regards,
> > Jan Nordqvist
> > 
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@xxxxxxxxxxxxxx
> > https://www1.ietf.org/mailman/listinfo/tls
> > 
> 
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxxxxxxxx
> https://www1.ietf.org/mailman/listinfo/tls
> 

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
  - From: Joseph Salowey \(jsalowey\)

Prev by Date: Loan request approved
Previous by thread: RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
Next by thread: [TLS] TLS 1.1 and static DH
Index(es):
- Date
- Thread