IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Alan DeKok <aland@deployingradius.com> Mon, 12 April 2021 12:52 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A21C83A1CA5 for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 05:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgFipfZOxspP for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 05:52:35 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E7843A1CA4 for <emu@ietf.org>; Mon, 12 Apr 2021 05:52:35 -0700 (PDT)
Received: from [192.168.46.152] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 7ABEF39; Mon, 12 Apr 2021 12:52:33 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <98456329-CE85-4BB2-B93F-74776FEBA299@cisco.com>
Date: Mon, 12 Apr 2021 08:52:32 -0400
Cc: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CE04DDF5-2605-4C2D-9E95-6C1DEDA478B8@deployingradius.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <98456329-CE85-4BB2-B93F-74776FEBA299@cisco.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/0ubjNFk4SwvW4uAD7ZPHdyNJMg4>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 12:52:40 -0000

On Apr 12, 2021, at 3:54 AM, Eliot Lear <lear=40cisco.com@dmarc.ietf.org> wrote:
> “EAP peers need to have some basis to decide which networks are authorized.  A key signal for this purpose is the validation of the server certificate.  To prevent use of the wrong server, the peer SHOULD have some means to select and update appropriate trust anchors.  How this happens is beyond the scope of this memo."

  Yes.

  Many existing systems won't allow users to select trust anchors.  Many existing systems won't even "pin" trust anchors.  If the root CA used by an EAP-TLS server changes, they might notify the user.  Or they might just send over the new credentials.  It's all really bad.

>> EAP TLS peer implementations MUST allow for configuration of a unique trust root to validate the server's certificate.
> 
> This statement seems independent of the previous one, and may be overly broad.  Let me give you an example: a device may be designed only to operate as part of a federation.

  I would agure there that the federation should have it's own CA. 

  I'm not sure what it means to have a federation where someone else controls who is a member of the federation.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email