[Captive-portals] Onboarding devices and Captive Portal API

"M. Ranganathan" <mranga@gmail.com> Fri, 31 January 2020 14:16 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A209B1200F9 for <captive-portals@ietfa.amsl.com>; Fri, 31 Jan 2020 06:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2oAwXg3jwIsh for <captive-portals@ietfa.amsl.com>; Fri, 31 Jan 2020 06:16:22 -0800 (PST)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E63E1200DF for <captive-portals@ietf.org>; Fri, 31 Jan 2020 06:16:22 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id z16so3543828iod.11 for <captive-portals@ietf.org>; Fri, 31 Jan 2020 06:16:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6SFq6t9IAOyeX57HlmwLzGfBYiTk2XwTiXiKcIc5Sns=; b=C2+rN0pS+2KWKK+dhPNvwnxToMFlAirWe399wrjtkzj/uJFMF4/KFZP3ljLoo3FDoj wLDz8jY0K8rf4SF33aiGgOZJEktZurkcqE3AQRwzRVJ9NgmcVHGSJ/TXUUpvIHRV6Jqy KCGAfE1w9e7eT4Pr9io+E5PAXWlhKGFOfI/WvweEmimgt3qIfWH/PjsOBAlM07lJ/Htk ahnc6aVWq1Z1JLiJKYJ2GLUPWfWFDRiICYFv8XLoqj3+2pm7jounHM/QJ6ql/oAH7Yrc 3buJmu1LdOw1ZvIHNBOhX7Yj2Ptd4YwIqb+0hX9V2I5kEwnd9mgyumEQlOV5KQ7nrAEK 3oXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6SFq6t9IAOyeX57HlmwLzGfBYiTk2XwTiXiKcIc5Sns=; b=rv1qEvjaTe6CgHsOB/+qglym7GmHV5obFglrKup3qyfb1Gwafkjuj4vd/Ej8qndz0x Qt5+DLB27/t1RSxFxEsVsY26DICxudrw2Ijpf4TAlJG1QKvQ7WLcoHM2O5y4JukAWxrP yK79Khgj1jddwpm5w6cYFF997Fz2mm3ytSTpY1zWNcXuJX2uJkXiO93887EXiakCDxfZ COR7KlhdBECcXApT9l5PswcJxXjiIzjEg4RqCHTFLqsLBh5xFj8s//AvfRh2K0wAymIY 6d/LBcNQ035wFIqm+w+tnxG7vqflmUeBmki6rQ9TxhE3TXOJoHGqH3klfE9+jsxGlaPV 6qzw==
X-Gm-Message-State: APjAAAU4NpItBnrxX/FEkKQxUD9JbKJ7/EcmIndwZ3yeR5GYvJMgyetZ InNGlxku5rg2sEwT6Z7XaUDa9FgRpRjsAEMKeAb1XeXV
X-Google-Smtp-Source: APXvYqw8F5QL514zLD19Gw4bNK5nD2590RLjJHktVznDod2RiPVDPTOScv+qqj4sj1lqUmZtDSPCLonYkOLYJI1G0q0=
X-Received: by 2002:a5e:924c:: with SMTP id z12mr8787814iop.296.1580480180285; Fri, 31 Jan 2020 06:16:20 -0800 (PST)
MIME-Version: 1.0
From: "M. Ranganathan" <mranga@gmail.com>
Date: Fri, 31 Jan 2020 09:15:44 -0500
Message-ID: <CAHiu4JP8ZyXFXNODLspsobfoSiViCAQZDBsyF942oSqe6H8rBg@mail.gmail.com>
To: captive-portals@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/XAznbcG5HLYKJycd6QDXP5xP3gI>
Subject: [Captive-portals] Onboarding devices and Captive Portal API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 14:16:23 -0000

Hello,

There are scenarios involving device onboarding where Captive Portal
capability seems like a good fit.

Consider a device that has been securely onboarded  onto a network.
The device wants to present a signed credential to the network  (e.g.
it could present its signed MUD URL) that can be evaluated challenged
by the captive portal server.

Following up on a suggestion by Michael Richardson,  can the Captive
Portal API be extended to do this?

For example,

1. Device onboards and presents its certificate, and signed MUD URL to
the captive portal server.
2. Captive portal server verifies the certificate using the
manufacturer certificate.
3. If certificate and signature are valid, then Captive Portal server
removes the device from quarantine and allows it onto the network. It
could optionally challenge the device to authenticate it but
presumably that step has already been done during onboarding.

Another situation where captive portal could be useful is BRSKI. Not
sure if these use cases are too far removed from the intended use of
this specification.


Thanks for reading,

Regards

Ranga

-- 
M. Ranganathan