I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-radext-radiusdtls-bis-02 Reviewer: Russ Housley Review Date: 2024-09-28 IETF LC End Date: Unknown IESG Telechat date: Unknown Summary: Not Ready Major Concerns: Section 3.3 contains a TODO. It needs to be resolved. Section 4.1 contains a TODO. It needs to be resolved. Also, the TODO note and the next sentence are munged together. Section 4.2 is confusing. To align with the discussion of connected identity, I think that four cases need to be discussed in this introductory section: TLS-X.509-PKIX-TRUST-MODEL, TLS-X.509-FINGERPRINTS, TLS-RAW-PUBLIC-KEY, and TLS-PSK. In Section 4.2.1 Please reference RFC 5280 for the definition of Certification Authorities (CAs). It might be better to talk about trust anchors instead of Trusted CAs. Section 4.2.1 includes: - If the expected RADIUS/(D)TLS server was configured as a hostname, the configured name is matched against the presented names from the subjectAltName:DNS extension; if no such exist, against the presented CN component of the certificate subject - If the expected RADIUS/(D)TLS server was configured as an IP address, the configured IP address is matched against the presented addresses in the subjectAltName:iPAddr extension; if no such exist, against the presented CN component of the certificate subject. There is no "subjectAltName:DNS extension". It would be better to say that the subjectAltName extension contains a domain name system label in the dNSName as an IA5String. This means that an Internationalized Resource Identifier (IRI) is put in the certificate in the ASCII form (punycode). Likewise, there is no "subjectAltName:iPAddr extension". It would be better to say that the subjectAltName extension contains an IP address in the iPAddress as an OCTET STRING. Section 4.2.1 includes: o The realm which was used as input to the discovery is matched against the presented realm names from the subjectAltName:naiRealm extension. o If the discovery process yielded a hostname, this hostname is matched against the presented names from the subjectAltName:DNS extension; if no such exist, against the presented CN component of the certificate subject. Implementations MAY require the use of DNSSEC [RFC4033] to ensure the authenticity of the DNS result before relying on this for trust checks. There is no "subjectAltName:naiRealm extension". I assume this is based on RFC 7585. If that is correct, then a reference is needed. Assuming that is correct, it would be better to say that the subjectAltName extension contains an other name containing a NAIRealm as a UTF8String. Likewise, there is no "subjectAltName:DNS extension". I discussed this point above. Section 4.2.1 includes: * When the configured trust base changes (e.g., removal of a CA from the list of trusted CAs; issuance of a new CRL for a given CA), implementations SHOULD renegotiate the TLS session to reassess the connecting peer's continued authorization. I suspect that performing the certificate path validation again is good enough. That said, I am not sure that is practical. The information from the handshake might not be kept around. Section 4.2.3 says: RADIUS/(D)TLS implementations SHOULD support using Raw Public Keys [RFC7250] for mutual authentication. I do not understand how raw public keys are used to support mutual authentication. More information needs to be included in this section. Further, Section 4.2 talks about authentication using X.509 certificates with the PKIX trust model and authentication using TLS-PSK. If support for raw public keys is needed, then this introduction must include some discussion of this alternative. Section 4.3 is confusing. I think that four subsections might be helpful: TLS-X.509-PKIX-TRUST-MODEL, TLS-X.509-FINGERPRINTS, TLS-RAW-PUBLIC-KEY, and TLS-PSK. Section 4.4 contains a TODO. It needs to be resolved. Section 5.1 contains a TODO. It needs to be resolved. Section 6.3 contains a TODO. It needs to be resolved. Section 6.4 contains a TODO. It needs to be resolved. Section 6.4.1.1 contains two TODOs. They need to be resolved. Section 6.4.2 contains a TODO. It needs to be resolved. Section 7.1 contains a TODO. It needs to be resolved. Minor Concerns: Section 1 begins with: The RADIUS protocol as described in [RFC2865], [RFC2866], [RFC5176] and others is a widely deployed authentication, authorization and accounting solution. I find this very difficult to understand. Please make this two sentences. One that says what the RADIUDS protocol is about, and a separate sentence about where it is defined. Section 1.2 includes: * RFC6614 only requires support for the trust model "certificates with PKIX". This document changes this. For servers, "certificates with PKIX" and "TLS-PSK" is now mandated and clients must implement one of the two. Please add pointers for these two terms. This is the first place in the document where these terms are used. I'm unsure if it would be better to point to the right part of Section 4.2 or the other documents. Section 3.3 includes: For RADIUS/TLS, the peers MAY send TCP keepalives as described in [RFC9293], Section 3.8.4, for RADIUS/DTLS connections, the peers MAY send periodic keepalives as defined in [RFC6520], as a way of proactively and rapidly triggering a connection DOWN notification from the network stack. This is hard to parse. Please break into two sentences, one for RADIUS/TLS, and a separate sentence for RADIUS/DTLS. Please make them parallel in structure. Food for thought: I do not expect a response to this part of the review. I am just planting a seed of an idea. I ask the authors to think about it. Section 4.2 talks about authentication using X.509 certificates with the PKIX trust model and authentication using TLS-PSK [I-D.ietf-radext-tls-psk]. Please consider a third alternative based on RFC 8773, which mixes certificate-based authentication with an external PSK. This alternative would provide protection from a record-now-decrypt-later attack from the future invention of a cryptographically relevant quantum computer (CRQC). Nits: Section 1.2: s/usage of TLSv1.3/usage of TLSv1.3./ Section 1.2: s/been updated/been updated./ Section 3.1: s/See Section 7 or/See Section 7 of/ Section 3.1: s/further in Section 6/further in Section 6./ Section 3.3: s/It is REQUIRED that implementations utilize/ /RADIUS/(D)TLS clients MUST use/ Section 3.3: s/It is REQUIRED that RADIUS/(D)TLS clients implement/ /RADIUS/(D)TLS clients MUST implement/ Section 4: s/(D)TLS session/(D)TLS session./ Section 4.1: s/clients must establish/clients MUST establish/ Section 4.2.1: s/Certificate Authorities/Certification Authorities (CAs)/ Section 4.2.1: s/certificate subject/certificate subject./ Section 4.2.1: s/certificate MAY Be/certificate MAY be/ Section 4.2.1: s/trust chain checks/certificate path validation/ (more than once) Section 4.2.2: s/trusted certificates/trust anchors/ Section 4.5.1: s/Acct-elay-Time/Acct-Delay-Time/ Section 7.2: s/to any middle-person/to any party/ Section 7.3: s/bogous/bogus/ (more than once) Note: I did not review the Appendices.