IETF Logo Mail Archive

Re: [Captive-portals] A final check on draft-ietf-capport-architecture-09

Martin Thomson <mt@lowentropy.net> Mon, 10 August 2020 05:01 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCC93A13D7 for <captive-portals@ietfa.amsl.com>; Sun, 9 Aug 2020 22:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=taPRJqkG; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XoAGyeZg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2lwErUXOyNB for <captive-portals@ietfa.amsl.com>; Sun, 9 Aug 2020 22:01:18 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 603203A13D6 for <captive-portals@ietf.org>; Sun, 9 Aug 2020 22:01:18 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 912046D2; Mon, 10 Aug 2020 01:01:17 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Mon, 10 Aug 2020 01:01:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=awnVpvwDUOSo3/AsFghtdQSdnS0npjj SQAjMsodccPI=; b=taPRJqkGurIikTtA1zr6Y1oey9uJc+qCJKL6m/hiQztiYK0 ePWTzxuCjC2+UsjObnicxo0gR7GgFH3J6/BkEEp36azP7TSFJsfvce8Sasj2NBgx jZSTu3svjqv5uxJpBEI0RvReByHSMzEOuN4jkIzCcx7K8f5+rSRKsvOGmV3p73F+ qtmd+Tx6aJGEBW63G7xuWp2Kz8LiVRiEK/lhduG8pfnpRPTYNDLF+Ic3Bk5eMqUv LBi3/VJtnt/a1RQ6cOn9na1Moh1NvZXTVQaej1vNF+RXrYaOWut4Gh2RYUNllwG1 qUKKFutq1jM7iMdoP35dT2UCUqqOB6peBXvjUrQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=awnVpv wDUOSo3/AsFghtdQSdnS0npjjSQAjMsodccPI=; b=XoAGyeZg3DA0nETnPrrLd7 PQ6Ocno982jF34llr1focE6Ux+w19fI2+46/8hvh3uEZ58Q+N08a67ON7V4kWSp/ ls+3BctVa5VHDGgUmqF3BDOQQBkSXFPveZV1tQv8+ByN56VFoyc67BmtcAz9Xc28 M0j4Bjj0Vud1kTFoSQ4zV90eAybalhYdSwugn1ZW6Qt8fvU91fjNUg0EXEZhUzB5 Q5oe3RFwYEeFtZoLfN6UyKQ87Kz4YVTUzhGMl42CUXZ0zuFK6EvB7/tYk7usnu/c qtXmPFVAP4T+9jDL1Zur5xRVA0CEcnFWArhRamVQwB873JfT958n1vYK766/qvrw ==
X-ME-Sender: <xms:nNQwX4Pnnx_oM7Mlm5xjOTg2z3w6J_R132GQmU3io80YreBDiU-zlA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrkeejgdeludcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderreejnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtf frrghtthgvrhhnpeehfeetudduudehtdekhfdvhfetleffudejgeejffehffevkeduiefg ueevkeefleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:nNQwX-9gz2_boySO1SpZzgwkCLA70eoKPfFt2ckyFLuLd6gjtV3QgQ> <xmx:nNQwX_RXF4IxpeGh7de8zhiEJyU-OBZaDitYMltqw4tVdOfdjVODSA> <xmx:nNQwXwsXyU6_KO4dTEnAD79FYKQa1_WDHqTnykeBN2c3K2jpeCEXJw> <xmx:ndQwX6oiPxq5qwLSDeGHiIhz0xi6tj899u8TmVhDe_DZcwa_5GFdzQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9E84FE00A6; Mon, 10 Aug 2020 01:01:16 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-143-g3d58b38-fm-20200806.002-g3d58b387
Mime-Version: 1.0
Message-Id: <3688bd80-1cd8-468c-bf5e-d5ee8731a1ab@www.fastmail.com>
In-Reply-To: <17263.1597033129@localhost>
References: <b666d3af-fcf6-4534-be01-7e7441d0d6d2@www.fastmail.com> <17263.1597033129@localhost>
Date: Mon, 10 Aug 2020 15:00:56 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, captive-portals@ietf.org, Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/19sHXoOtiE13zcsoIv01yLziB2s>
Subject: Re: [Captive-portals] A final check on draft-ietf-capport-architecture-09
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 05:01:20 -0000

On Mon, Aug 10, 2020, at 14:18, Michael Richardson wrote:
> I've read through the diffs:

Thanks!

> This was added based upon some review comment.
> While I can't really object to the idea, I am concerned.
> What are the transports that result in only being able to provide a public IP
> address? How many common PKI trust anchors are supporting iPAddress SANs today?

There are no methods for providing an API URL that don't support a domain name.  That said, this iPAddress thing is just reiterating a requirement from RFC 6125.  It isn't *widely* supported, but most clients do respect iPAddress SANs (browsers do for certain), and there are a couple of CAs that support issuance.  ACME recently grew a validation mechanism for IP (RFC 8738).

> I'd rather we didn't allow for iPAddress SANs, but it's not a sword I'll die on.

Ack.  Personally, I'm more concerned about implementations allowing an override option other than through modifying the trust store.  A domain name is equally problematic there (let's hope we don't see .home addresses...).  But I don't see any easy path to a per-host override based on what I've seen in implementations so far.

> The next part says:
>   An Enforcement Device SHOULD allow access to any
>   services that User Equipment could need to contact to perform
>   certificate validation, such as OCSP responders, CRLs, and NTP
>   servers;
> 
> That's a good list, and that list can be seen from looking at the
> certificates that the captive portal operator is going to use.
> But, aren't there *also* systems (Mozilla? Chrome?) where the respective
> vendors are collecting that info into a central place to make stuff go
> faster?   I can't quite find what I'm looking for in a search, because
> OCSP-Stapling is not what I'm talking about, and eliminates the need.

Yes, browsers are providing systems that help with revocation.  Mozilla has OneCRL and CRLite; Chrome has CRLSets; offhand, I don't know what Microsoft and Apple might be doing differently.  Those systems that I'm aware of don't require network access at validation time.  The whole point being to provide timely information about revocation without depending on a live OCSP or CRL fetch (which have poor privacy properties in addition to adding to fragility).

v2.23.0 | Report a Bug | By Email