IETF Logo Mail Archive

Re: [Captive-portals] A final check on draft-ietf-capport-architecture-09

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 10 August 2020 04:18 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2AE3A13B0 for <captive-portals@ietfa.amsl.com>; Sun, 9 Aug 2020 21:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wfIdWCXFbO57 for <captive-portals@ietfa.amsl.com>; Sun, 9 Aug 2020 21:18:53 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5A53A13AF for <captive-portals@ietf.org>; Sun, 9 Aug 2020 21:18:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 526A7389D2; Sun, 9 Aug 2020 23:58:08 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Lilb10eDzHXi; Sun, 9 Aug 2020 23:58:06 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6F4AC389BA; Sun, 9 Aug 2020 23:58:06 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 89804114; Mon, 10 Aug 2020 00:18:49 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Martin Thomson <mt@lowentropy.net>, captive-portals@ietf.org, Barry Leiba <barryleiba@computer.org>
In-Reply-To: <b666d3af-fcf6-4534-be01-7e7441d0d6d2@www.fastmail.com>
References: <b666d3af-fcf6-4534-be01-7e7441d0d6d2@www.fastmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 10 Aug 2020 00:18:49 -0400
Message-ID: <17263.1597033129@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/gv9JpTF8qctOemvutRnsjVHhsBc>
Subject: Re: [Captive-portals] A final check on draft-ietf-capport-architecture-09
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 04:18:56 -0000

I've read through the diffs:

One that jumped out at me:
   If the API server is identified by
   IP address, the iPAddress subjectAltName is used to validate the
   behavior described above.

This was added based upon some review comment.
While I can't really object to the idea, I am concerned.
What are the transports that result in only being able to provide a public IP
address? How many common PKI trust anchors are supporting iPAddress SANs today?

This seems like it's opening a situation where someone will deploy on RFC1918
addresses and then expect clients to do some exception processing.
Particularly in corporate guest networks where they only tested with their
devices that already have their private PKI anchors.  I can think of a few
captive portal product managers that I have interacted with that would simply
not understand this.
I'd rather we didn't allow for iPAddress SANs, but it's not a sword I'll die on.


The next part says:
  An Enforcement Device SHOULD allow access to any
  services that User Equipment could need to contact to perform
  certificate validation, such as OCSP responders, CRLs, and NTP
  servers;

That's a good list, and that list can be seen from looking at the
certificates that the captive portal operator is going to use.
But, aren't there *also* systems (Mozilla? Chrome?) where the respective
vendors are collecting that info into a central place to make stuff go
faster?   I can't quite find what I'm looking for in a search, because
OCSP-Stapling is not what I'm talking about, and eliminates the need.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email