[Danish] Hospital use case ... RE: Charter Text and the Problem Statement
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 21 June 2021 05:44 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E29E3A2386 for <danish@ietfa.amsl.com>; Sun, 20 Jun 2021 22:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=WzCc+Oqo; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=WzCc+Oqo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8GnL51618yX for <danish@ietfa.amsl.com>; Sun, 20 Jun 2021 22:44:30 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2046.outbound.protection.outlook.com [40.107.21.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 989B83A2382 for <danish@ietf.org>; Sun, 20 Jun 2021 22:44:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0gg4qMWFtYU5FOHxE8vc1EUYxQ7nK9JAsj7EaxWHGGM=; b=WzCc+Oqos2256C2DoK/87El8ZsFjt2YP+RYsLrcBZ9kjcJK9WyjME7aMwvY9/ArQo+udoexT9JRECTdN5uQT6IjkI8tbK09HQlZIt3CD6Maz9Dn/usc/Ak5+mIGVb45lcWAcuhKerGINGanFsjWFjDh7ZtKiP6OiuIfb4rEGyto=
Received: from DB9PR06CA0014.eurprd06.prod.outlook.com (2603:10a6:10:1db::19) by DB7PR08MB3097.eurprd08.prod.outlook.com (2603:10a6:5:1d::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Mon, 21 Jun 2021 05:44:20 +0000
Received: from DB5EUR03FT038.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:1db:cafe::58) by DB9PR06CA0014.outlook.office365.com (2603:10a6:10:1db::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.15 via Frontend Transport; Mon, 21 Jun 2021 05:44:20 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT038.mail.protection.outlook.com (10.152.21.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.16 via Frontend Transport; Mon, 21 Jun 2021 05:44:19 +0000
Received: ("Tessian outbound f945d55369ce:v96"); Mon, 21 Jun 2021 05:44:19 +0000
X-CR-MTA-TID: 64aa7808
Received: from 18c096fe9760.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C38F35ED-AB3D-4109-98A4-9BC4EFE053D8.1; Mon, 21 Jun 2021 05:44:13 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 18c096fe9760.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 21 Jun 2021 05:44:13 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kVj5Gj/qTWtbZaAXWR+3nVO8OCSWCCUdm6+wlM7pkXZVHzZncb+HKGC0YjQbvL7nG8SYEVSnZVbWZPFikNnCo0IupnANHcF1HPEHV5t5tgXBzmlH5bQ4og7gzzGi87N3imzw8kLPwLpvZStnQyL4igKIqNz67b7OBYL4LDsJ+APB+Fc6wsB/8VguCseExwmKrMF3rAoUVVVmGR1bLOefdyQW7lrJ6ZtXa6tsfRV/4a0W4Qm5wKzp2Un8zQVm9hd6VTj4crHuGzvz/q0k1EdpwoZa0gnqpmHnyHIYhKedM5oT3g+IT3Qf53X1uqniZ0u2V/QAlLWPx2kBdZYj0g+pHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0gg4qMWFtYU5FOHxE8vc1EUYxQ7nK9JAsj7EaxWHGGM=; b=Bq9ylEEunW0/bu6vZJ+0DgPnOe0Tvw6RRM3yB6AVieSSHmhFEAUWg2ODpXBtJ5oZZ6q6Btk+hdPj3VjyqtqyzHKn9senlRL4CmEVjAu3NITBw6UcB4dkedHbojPfZK6mSbIDHEwLLYeledhjDy0h/4DxjIiuiYUpZ/V3kkxCklY4aN3zGgwl3QZq2cz9Y/YfsCRQPpq1CPhM9Aa2rWkPJCVKkTriKrnO338b+8xxSbq8Bre0pOl/jIRGKQm78k+9znFXeC3DH6Rcv7uGch0C7V6Db50vs/NL/L9T5DB5PFflgK0LiwaBEBcOlsl9/FWmCAbbesRUwfjoByLzMRljTA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0gg4qMWFtYU5FOHxE8vc1EUYxQ7nK9JAsj7EaxWHGGM=; b=WzCc+Oqos2256C2DoK/87El8ZsFjt2YP+RYsLrcBZ9kjcJK9WyjME7aMwvY9/ArQo+udoexT9JRECTdN5uQT6IjkI8tbK09HQlZIt3CD6Maz9Dn/usc/Ak5+mIGVb45lcWAcuhKerGINGanFsjWFjDh7ZtKiP6OiuIfb4rEGyto=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB8PR08MB5196.eurprd08.prod.outlook.com (2603:10a6:10:ee::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Mon, 21 Jun 2021 05:44:11 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::69cf:4429:a804:7f41%3]) with mapi id 15.20.4242.023; Mon, 21 Jun 2021 05:44:11 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Wes Hardaker <wjhns1@hardakers.net>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "danish@ietf.org" <danish@ietf.org>
Thread-Topic: Hospital use case ... RE: [Danish] Charter Text and the Problem Statement
Thread-Index: AddmXA+nzA3fKYPSR1yxZ9pLOHgoyQ==
Date: Mon, 21 Jun 2021 05:44:11 +0000
Message-ID: <DBBPR08MB5915C5820472B6B3C1B4A602FA0A9@DBBPR08MB5915.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: AE6D3A96A5DCA348A406D557B71A08D1.0
x-checkrecipientchecked: true
Authentication-Results-Original: hardakers.net; dkim=none (message not signed) header.d=none; hardakers.net; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.123.248]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 36bc8870-45cd-41c7-b628-08d934779d56
x-ms-traffictypediagnostic: DB8PR08MB5196:|DB7PR08MB3097:
X-Microsoft-Antispam-PRVS: <DB7PR08MB3097DC55A9CB8A78A7AD28C3FA0A9@DB7PR08MB3097.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: t1Nsq7+JlyJU3d7u257UC+JKFt+SgL/l/rnbiac9NMxaUBC99kEHKSWcRTbOYh6QHRhFNkhMymHTpc3I1j+8jK+PRgHaLk+nb4ROXI6/82LRIr6oT9hP3z1AgU1sSDbCUrzn5BPOfL1eZa8CKp8+PlMgqPA65CXP/EknQ7KJQSrmQ6q2rE1K16/W6fVQ3Zw6MKdJehIcVYu36wydH/Vp+UCql+tZu7krAVGwDwH2yAffnh1uOZgc5J2DljPZCe4aiF+RoplG9dXV+2VVVDHjK6fOQj+/CYKr1AbYFU7/axaOB9IxCFdOwBrX78ZXlLG+exPvmeR6GVz8iS6VBgV0BV7foeUjOWYxJ0KBnerhuoUOp8xeL4Ujgin2NVIoWbIWrUDYaiD6zp+TukECTBtGN3n0r1W93f1Zhp/HZhTBcNkuzGT6Yr4raF4sxM1zswAjRInyqFSKK6/iECyJAOoJ7eaDVVyng+cxtL8lVIL1dTdoo/SxGHSDLCaSSWg9m+3SB3PdbutzNcKMlPK5Uiv/1SyTn38XVogcZL3oz7/yN146B/EWfpdxnLFbgbTkmXZE0dlhHPxaDy4QY3C6UoNtNU99avyxhhoVuFCQwul5RPLQ92TCt3kyWu1Iky8a2mV+yJIjGyVczq5a08L6vdEbw5+r1FSKOgr2YX56oDryP5EO9qX0L04rS6jwcDn7/sdmfBl7wNVfANkawJkEJ68om/NEAAQ6hIIusLtMGcMEe0I=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(366004)(346002)(396003)(376002)(136003)(7696005)(6506007)(83380400001)(186003)(26005)(76116006)(2906002)(966005)(38100700002)(122000001)(54906003)(8676002)(66574015)(478600001)(8936002)(86362001)(66946007)(316002)(52536014)(33656002)(71200400001)(55016002)(66446008)(64756008)(9686003)(66556008)(6916009)(4326008)(66476007)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UK855BIlrs7UNDVHeOxJlAnXqf6RAs+TtsFu0WH377RlJ7cmpjwabdzV68d4QeXkCLSFDobvHSgnEOD1cC9QkuGxlnWhToApmGODRk7bYIImzRZ6gvT2hsoesSiI0UdAoFDR2FxF8qkrJzapO0XeOaLRTBfccH6ISTOL6csROE7d7CSY9J94/599tD+FC6o9c/sThkebJv1499KAwxIWL6RZiaRlcF0XXcZeTETok033w8RIO5nygg6aZHz4qp0Yqybpu+Wfii6GoLHhMQwlFgURPDxe5YnJ5tVEV4lsnDQW1Xy3uLC5SHt+WMYilArL5YMKhjlp4RRU/eCCjJ5mIKh7zfzvOZsxicePI40lHvY7kSdiSpdTUvY+Qf/7HErheQm6RtzKeL2CBuGW7XWvqDLY8ZA8Y8P9W/EUVaOuOeL4V5Jdp9i8F1H7qNsLKg09cC1ZgRhfIta8Qr8Nv5zwA1zlgqnp0svRzIE+9plrnEDGYzsrXJNpCqidHVgDA9v64HUAqtbrbwaN3a5RJIMr7s0cDdlCfbpdJJxSLsBCs/p+UyI2EnTILuFLlLFeVuDEKlHMGugr46y72YACFqeHuoa0s1mLGc1aAABSEUmIEtvA24pmQm5ajY3Bf3kiCwXHBa3TQHYkSrINxBrt117y/2OsGfGGCpQxvZPeOY0Y7IylEEJv/kjCbwq4KWHhfxmCkpwrA6XG7gnerIyeGhuxeO4rtKBsismqwAJiEuMP6WkQTVWGmf6zp1GYS0hKN1XLsaDR3EJErJG7Qip6YCInwMcuWpPRE5zQqalsLY585Cw7u8BnnRpjN3jbawyTwL6RjNFk14hHgypK35oaUQG9P1Ezj6t3aWrlqS4eg6NkZnJAugkqbPHCHTJu9GSs85K7+uhRrI+k+HBnkcmA0QEpuRZLTkADLZyrpZRfYLS2wCyfgEGFkN4/dL29Vs1DyrVz59GVGbzm+fCbkXNsMPTlaOJIEA6dyzxP0Au/LB3K4AoR4sIavcNSRNHT+i5DOd2mURa6WhOugTI9ZwRxaDwTxJugkIQKT3iun8DoAXzepe2QWk1tf+MuBDnSn8xzj8ki9dTzxt3ahdkhj3BI78Xnn9+sqKJR3surRdpfTqVJXNiSnqUPzatfw6nhSKDSdUuYbfbTleDf4FHtztspLzTp98Ld8j9iXpQW9GIOEa7K862WgxEnxBwJBzlrjv2LBtbrFlR0sOnMOBH3LQWbWpkRkJEiZ4lmLk3p1HT/NkwFsBTE3l41tZmoPzzdbGkcnia1ZZXFo7dOuPG3e35TlsDOCheRr/Yh6WNz3v8iDILPNhafPEbz2oi8ND//u+RSH/ex
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5196
Original-Authentication-Results: hardakers.net; dkim=none (message not signed) header.d=none; hardakers.net; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT038.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 89033ef9-dd53-440b-c4e9-08d934779865
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 51iv1sXKeU6mWtCNUYdp39xhh+ZeYEWjk69w81b1UUy703//R5qvucbdlQnLQNzO/1ZCdYxOFyJE9ymjpOjsM8tUQpOXQfpMtEjPZeLQfaqKBvBttzCGBLOFbhK38k0iE4m2RwlSKuS1g4h+f/Mg9AapDtuSWUbpr9txeZKRQSD7hdItjzu+96Fot48l390c7WA02aFOcytIUaNeW32yfsIzqZbhzlq3lOuKr5cp3lbH5RuGNWGBdJWKpHMVeWrohjB6lJM6ieDG2vEysYMzKIoqV+U4GXdPAz3qM2oSMhF5Qy0wrcfLHVjhIXHzgFFS+pFIXuLk4PMwY7rsmltQixmkpZTd1D4UDFX10JwX19HoQh4q9vtfm1u0A+5RizV7UWj8fH44aLVHuazJqCN/4rz11nT5Jf12hbqse0k17oGyjftKDUngpeQDLz/QdZEnTOporVu1+VgZa9ECOT3shiWsT2MZOrE7dfkPaxlJqkde4UfDaF74AjBslpo/SHnnUB6DIBguhWw0D1NV6BLG2eDwZO6bP3DP/4TeNIJSc79IUGFF7CthOAIIXe254IqCO03z0IP57D0Ywyl5D1fjF89MEPDhtH8JWtiO9q7SWGQJM9DlsvOrP1fneH/1L68+0i/j7p5mjsPdREZUJAvF6lTy4Tjmw16crSvg3dOcSZwBX929BJN6FTqiLLLPUvJdatXyHUJPMtGgYgcSKikMPT3Ci+RBAOGYV/TAY5oVhtqQ2xGHyK+funV3YQABrNDHkxm7M8gnTMmSkaA32LlESQ==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(39850400004)(376002)(46966006)(36840700001)(55016002)(336012)(54906003)(478600001)(316002)(966005)(66574015)(70206006)(9686003)(36860700001)(2906002)(7696005)(83380400001)(33656002)(6506007)(70586007)(8936002)(8676002)(5660300002)(52536014)(86362001)(82310400003)(26005)(356005)(6862004)(186003)(4326008)(47076005)(81166007)(82740400003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Jun 2021 05:44:19.5024 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 36bc8870-45cd-41c7-b628-08d934779d56
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT038.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3097
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/pD80qnJ95o_O3GBRu3mrVDoRfGY>
Subject: [Danish] Hospital use case ... RE: Charter Text and the Problem Statement
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 05:44:35 -0000
Hi Wes, > PS: I missed the example of onboarding a device in a hospital. https://mailarchive.ietf.org/arch/msg/danish/OkQzlyZoKlEar5-GU6HgtSz3ebY/ Thanks for the pointer to the hospital use case. Here is the relevant text: " Within a hospital, it is desirable to implement 802.1x authentication using EAP-TLS for access to protected networks. EAP-TLS enables the use of PKI-based identity to authenticate an entity for network access. When implementing EAP-TLS for network access, RADIUS is a common protocol/server used for authentication behind the switch or wireless access point. Guidance for configuring RADIUS recommends the use of only one CA certificate for authenticating supplicant certificates. This guidance can be found in the wild in Freeradius configuration files for EAP-TLS, related to the 'ca_file' configuration directive. " Network access authentication is often misunderstood. The use of TLS for network access authentication was a convenience rather than a necessity. This means that there is functionality in TLS that is neither needed nor particularly useful for network access authentication. On the web, you want to use a PKI because a browser can access many different websites. Any browser should be able to access any website, ideally. The network access authentication model is different. There you have a one-to-one relationship. One user with their device has credentials to access one home AAA server. Why is that? It has to do with authorization. The home AAA grants access to the visiting network via the backend AAA infrastructure. Only the home AAA server knows about the user's authorization information. In that model, there is not much benefit of a PKI. All you need is a raw public key. Why are people still using a complex PKI infrastructure for network access authentication? Well. I fear that most network administrators don't get the point that they do not need to model their organizational hierarchy into the PKI infrastructure. So, what do we do? We offer them with solutions to compress certificates, cache certificates, etc. (see draft-ietf-emu-eaptlscert) when the correct answer would be different. Hence, the guidance you are mentioning above is actually pointing in the right direction. If you go into the other direction and basically let the supplicant tap into your browser trust anchor store then you have actually opened up the attack possibility substantially because you can make regular web server certificates verify correctly during the EAP-TLS authentication. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Danish] Hospital use case ... RE: Charter Text a… Hannes Tschofenig