Re: [Captive-portals] A final check on draft-ietf-capport-architecture-09
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 10 August 2020 04:18 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2AE3A13B0 for <captive-portals@ietfa.amsl.com>; Sun, 9 Aug 2020 21:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wfIdWCXFbO57 for <captive-portals@ietfa.amsl.com>; Sun, 9 Aug 2020 21:18:53 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5A53A13AF for <captive-portals@ietf.org>; Sun, 9 Aug 2020 21:18:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 526A7389D2; Sun, 9 Aug 2020 23:58:08 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Lilb10eDzHXi; Sun, 9 Aug 2020 23:58:06 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6F4AC389BA; Sun, 9 Aug 2020 23:58:06 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 89804114; Mon, 10 Aug 2020 00:18:49 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Martin Thomson <mt@lowentropy.net>, captive-portals@ietf.org, Barry Leiba <barryleiba@computer.org>
In-Reply-To: <b666d3af-fcf6-4534-be01-7e7441d0d6d2@www.fastmail.com>
References: <b666d3af-fcf6-4534-be01-7e7441d0d6d2@www.fastmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 10 Aug 2020 00:18:49 -0400
Message-ID: <17263.1597033129@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/gv9JpTF8qctOemvutRnsjVHhsBc>
Subject: Re: [Captive-portals] A final check on draft-ietf-capport-architecture-09
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 04:18:56 -0000
I've read through the diffs: One that jumped out at me: If the API server is identified by IP address, the iPAddress subjectAltName is used to validate the behavior described above. This was added based upon some review comment. While I can't really object to the idea, I am concerned. What are the transports that result in only being able to provide a public IP address? How many common PKI trust anchors are supporting iPAddress SANs today? This seems like it's opening a situation where someone will deploy on RFC1918 addresses and then expect clients to do some exception processing. Particularly in corporate guest networks where they only tested with their devices that already have their private PKI anchors. I can think of a few captive portal product managers that I have interacted with that would simply not understand this. I'd rather we didn't allow for iPAddress SANs, but it's not a sword I'll die on. The next part says: An Enforcement Device SHOULD allow access to any services that User Equipment could need to contact to perform certificate validation, such as OCSP responders, CRLs, and NTP servers; That's a good list, and that list can be seen from looking at the certificates that the captive portal operator is going to use. But, aren't there *also* systems (Mozilla? Chrome?) where the respective vendors are collecting that info into a central place to make stuff go faster? I can't quite find what I'm looking for in a search, because OCSP-Stapling is not what I'm talking about, and eliminates the need. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Captive-portals] A final check on draft-ietf-cap… Martin Thomson
- Re: [Captive-portals] A final check on draft-ietf… Michael Richardson
- Re: [Captive-portals] A final check on draft-ietf… Martin Thomson
- Re: [Captive-portals] A final check on draft-ietf… Michael Richardson
- Re: [Captive-portals] A final check on draft-ietf… Erik Kline
- Re: [Captive-portals] A final check on draft-ietf… Martin Thomson
- Re: [Captive-portals] A final check on draft-ietf… Erik Kline
- Re: [Captive-portals] A final check on draft-ietf… David Dolson
- Re: [Captive-portals] A final check on draft-ietf… Erik Kline
- Re: [Captive-portals] A final check on draft-ietf… Michael Richardson