IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 11 November 2019 23:15 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9102C1200E3 for <emu@ietfa.amsl.com>; Mon, 11 Nov 2019 15:15:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WLbSqQ70; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=H/9zFavb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2iuvHUNw_Q5r for <emu@ietfa.amsl.com>; Mon, 11 Nov 2019 15:15:41 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEDBA1200D8 for <emu@ietf.org>; Mon, 11 Nov 2019 15:15:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3190; q=dns/txt; s=iport; t=1573514140; x=1574723740; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=NaYt9YxhRuZ6hIvnOJ9VyosNHquTkDSlYREl8WtoEMQ=; b=WLbSqQ702B6LrCQ5pQDI6eIKZbUGzNS+ry6m9UBaGv9qnnOtif5LJou6 En23frzQf76PIFm15hqfQXgJapysXPFpuD9xW/2vkzrji3xn1QO7smdle LVbzMyZ0KU69B9liBwSTApxzGVPxbgkjhHbfub1tYdQCmxwteZ21GF0EP I=;
IronPort-PHdr: 9a23:CjEPTBFXcKl6VTAsvZHP7p1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4w3Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+efnkdS03GOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AUAAAZ68ld/4QNJK1dCRoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBbAMBAQEBCwGBSlAFgUQgBAsqCoQfg0YDimqCXpgAgS6BJANUCQEBAQwBAS0CAQGEQAIXg30kNgcOAgMLAQEEAQEBAgEFBG2FNwyFUQEBAQEDEhERDAEBNwELBAIBCBEEAQEDAiYCAgIwFQgIAgQBDQUIGoVHAy4BAqJFAoE4iGB1gTKBO4FDAQEFhQ0YgX0aCYEOKAGLdR4YgUA/gRFGgh4uPoQbFBiDDjKCLJAMnggKgiWMO4kkmXmOR5l2AgQCBAUCDgEBBYFZByuBWHAVgydQERSQNoNzilN0gSiLCiuBBAGBDgEB
X-IronPort-AV: E=Sophos;i="5.68,294,1569283200"; d="scan'208";a="370618108"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Nov 2019 23:15:39 +0000
Received: from XCH-ALN-014.cisco.com (xch-aln-014.cisco.com [173.36.7.24]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id xABNFdhx022497 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Nov 2019 23:15:39 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-014.cisco.com (173.36.7.24) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 11 Nov 2019 17:15:39 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 11 Nov 2019 17:15:38 -0600
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 11 Nov 2019 18:15:38 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KM1wbwBJYvazmoke8+CREHgl/Nmjna/mo99X8ajMENEvQyJyLqYbcwxHtmcu3rNB6gA6fqghFkiviS1zXknrHo2IeVqyvyVovgfvxhslCRoLe824rxAKHSARo1rLmVUBf4Dfm+i0mxxV731YN81hBILQzoQ7ZkXq8OJey46by9AHS+0NtJnzzDHeazYGtYOxe84j5gKfElU3JzJctxmIww5OHblxN17gv4w75RyLOapXCYfPJOMemM6SaoM7pPyhn1pPyxAGVfSseFlmKr9gnppPiIHx2lXJQOWfhmED2BKy+ma/0lq2kf2nj/adJ40Dlz84CkR+h/4laUJXx2sWfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NaYt9YxhRuZ6hIvnOJ9VyosNHquTkDSlYREl8WtoEMQ=; b=LvyXPhpMoH3VNBbAU4rIv3rXD7Pc7uGaqtCoUr3gikNPB5MrW5zj5WR9huLcKxvT0zwHkuIp4f2TFiKX7tWNHmXfyGcRjSxFCEjLipIvxDjlXx5S1F5dIAJj8u2kANbuJgJZuBWTK1qyILhilDzzGsWx5nBFHys39z4siZYKilkQctRrR0EQP3xG41A8T9A3ISow1G4JnaUzrRu9lJ0muLE+i4EpjX5OPZe8Inr/gKVXhkas7Gp3bzwF2UhSgjCw8xOYCoibMbBIYdDKaT58wn0J2a9gWZF6gU/0cfSTXUTtozQDBcjI03ACKXJBgaAGnU9G2+wvRgV6pChAsWNZ6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NaYt9YxhRuZ6hIvnOJ9VyosNHquTkDSlYREl8WtoEMQ=; b=H/9zFavbcrtsSXKF+5iMuiiJMP1E7DMQ1Vw5gAIz10Hxk4y+SfXt54wA+ZzB70xsjvlh8kf7fHItK1gVqWngOM2ds4e7R0Q86xPUEI6vPVQyF5Lx6RzYT/GoU+BLd10nMC8Szvbb61VDNknY9rP87ttemgCOWI9dtmEPjANOnFU=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3709.namprd11.prod.outlook.com (20.178.252.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.24; Mon, 11 Nov 2019 23:15:37 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2430.027; Mon, 11 Nov 2019 23:15:37 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Jan-Frederik Rieckers <rieckers@uni-bremen.de>, Alan DeKok <aland@deployingradius.com>, Russ Housley <housley@vigilsec.com>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPeAysQlGUpTU6o3aUNy73n/aeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAOEToA==
Date: Mon, 11 Nov 2019 23:15:36 +0000
Message-ID: <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de>
In-Reply-To: <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.36]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8a90c81-df02-401c-1ee0-08d766fd0f90
x-ms-traffictypediagnostic: MN2PR11MB3709:
x-microsoft-antispam-prvs: <MN2PR11MB370966324D74EA61D12685BFDB740@MN2PR11MB3709.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0218A015FA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(136003)(376002)(39860400002)(346002)(13464003)(189003)(199004)(99286004)(14444005)(256004)(25786009)(66066001)(8936002)(305945005)(14454004)(74316002)(7736002)(478600001)(71200400001)(71190400001)(3846002)(6116002)(5660300002)(86362001)(33656002)(52536014)(55016002)(6436002)(9686003)(7696005)(26005)(186003)(476003)(229853002)(486006)(76176011)(76116006)(66556008)(66476007)(66946007)(8676002)(81156014)(66446008)(81166006)(64756008)(4326008)(316002)(6506007)(11346002)(446003)(102836004)(53546011)(2906002)(6246003)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3709; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UKq8AYjUHpSpSJ+KZA1R/Rg1RYKoivoAIo4JIq/r/yMLPSowr9iSsnX/xftrPxChtp5ZPxzoakUmxlRZk2fYQ+wNfZL/UszQGjnJ2yo98aJFZWYN08rt7A4hV3sCeIMS9azY6maPqaS4dDE/VrZNHRurn/1F0evjf0XlYZx1wy2AZE9yBpZaqLIPe463RmBf0cD+/hbvgu3yPjBJKhaNbS3B14aQtWKeW/L0UnRG4xrhnvh4vMlGKR5LlRKKFvFGAiwRX93WpDL1IwEthi4z8KeeACDU9Z/HjfkXmPDwPboc4Yw0vCyjcsrQQSRH376iMAht5ukLT+ljoZI1C7dBQT4/VHJ1sa5vLmXVmi+qjL71bnbovA/pEJRFu5Rfb3eUDTJ/7kTl9ddXJn5Jw+YlhwD0b/0sdzQR/p0uWMlV582R3EQ0tJiKODvl+OOhhq0u
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a8a90c81-df02-401c-1ee0-08d766fd0f90
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2019 23:15:36.9667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1x/QX980GGHR4MYCx3hG30AtQBcPbN6FYMvE0KADjz0g62bki+Zvn+6uZRRj8hZlLA1uHtAuxwn5YymA9p6tcA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3709
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.24, xch-aln-014.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/0Ozrv0mHSOR6ofaGFtkgjDJPBjI>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 23:15:43 -0000

This is also related to ongoing anima discussions about RFC 8366, and how it can bootstrap trust when the pinned domain cert is a public PKI CA, and not a private CA, and hence additional domain (or realm or FQDN) info is also needed in order for the peer to verify the identity of the server.

Its also relevant for ongoing Wi-Fi Alliance DPP discussions about bootstrapping a supplicant onto an 802.1X network - after a supplicant completes DPP and gets provisioned with a trust anchor - what if that trust anchor is a public PKI? It’s the same problem.

One deployment consideration is if an operator wants to use a public PKI (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever, before these extensions could be supported (as Alan alludes to), so it would also be good to define how this could work with standard RFC 6125 DNS-IDs / RFC 5280 dNSNames.

> -----Original Message-----
> From: Emu <emu-bounces@ietf.org> On Behalf Of Jan-Frederik Rieckers
> Sent: 11 November 2019 09:42
> To: Alan DeKok <aland@deployingradius.com>; Russ Housley
> <housley@vigilsec.com>
> Cc: emu@ietf.org
> Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
> 
> Hi,
> Thank you for your feedback.
> 
> I was unaware of RFC 7585. I had a brief look on it and it seems that the
> certificate part could be used for the goal I try to achieve.
> 
> I'm not quite sure if the naiRealm should be used for validation on supplicants
> for EAP-TLS. I would assume it would not be a security issue, but I don't have
> enough experience to be sure about that.
> 
> The main reason why I submitted this draft is my experience from the
> deployment of eduroam at University Bremen.
> With expiry of the used root CA and the needed migration, we have forced all
> our users to use one specific outer Identity, to be sure the users configure their
> devices with the eduroam Configuration Assistant Tool (CAT, cat.eduroam.org)
> instead of a manual configuration, because in our experience manual configured
> devices almost always lacked configuration for certificate checking.
> But I just have experience in local deployment, the federation connections are
> done at higher levels (country research networks), I don't have an insight there.
> 
> Greetings,
> Jan-Frederik Rieckers

v2.23.0 | Report a Bug | By Email