IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

"Eliot Lear (elear)" <elear@cisco.com> Wed, 08 January 2020 10:00 UTC

Return-Path: <elear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 251D212013F; Wed, 8 Jan 2020 02:00:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=D8tGQTNC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=TRwPGZyB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7o93SwTGGm12; Wed, 8 Jan 2020 02:00:35 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E22EF120018; Wed, 8 Jan 2020 02:00:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3457; q=dns/txt; s=iport; t=1578477634; x=1579687234; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=AJoT9RmVKCIBJsYu/ea+Jr3ra3c//TOP1mrdek3EglQ=; b=D8tGQTNCnofeEIDKpOg8aDIv61PmM8YzHC+dmwzOs9Tz6Isgr9zuk6WW DpmPv1TFSA6aOrTXdBY2ENw2Bcvo1SbLGBwzAApeY0nvBDGeAk6MUtP5X iz1I5mowpgJfck7mESIiAob0Aa+HABKYKKzJeodxtrtnDNATMNz+HoiD9 U=;
IronPort-PHdr: 9a23:4FPByhBTU3beDEIv5WKiUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg93kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuIfrnZjYSF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CvAAA5pxVe/4ENJK1mHAEBAQEBBwEBEQEEBAEBgWoFAQELAYEkL1AFgUQgBAsqhAmDRgOLBoI6k1CEYoEugSQDVAkBAQEMAQEtAgEBhEACF4FSJDYHDgIDDQEBBAEBAQIBBQRthTcMhV8CAQMSER0BATcBDwIBCAQ7AwICAjAUEQIEDgUigwCBek0DLgGgWAKBOIhhdYEygn4BAQWFExiCDAmBNgGMGBqBQT+BOAwUgkw+hCKDNzKCLJBGhVeZDgqCNpYhG5phggyEEKMfAgQCBAUCDgEBBYFZByuBWHAVZQGCQVAYDY0Sg3OKU3SBKI0MAiYHghQBAQ
X-IronPort-AV: E=Sophos;i="5.69,409,1571702400"; d="scan'208,217";a="407030403"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Jan 2020 10:00:30 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 008A0UET004469 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 8 Jan 2020 10:00:30 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 8 Jan 2020 04:00:29 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 8 Jan 2020 04:00:28 -0600
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 8 Jan 2020 05:00:28 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QqsovAtKq2wdwHgPe2eLYaup6+/lrfIo/DpY5U0DjbK66Ov8hTDP4e99FFL4StffTCEW+8y2Q38t9Azx7dsbCxJybj/nk9r6NIlzHgH+oXeyWbaDDPHJGOnQ8vojaGrJeS7FuaNIKDCETuSwVoOD2uz6tLVT8kASPDL93BBEOmWN3aHa1cIfo/tWy8a3ONA+V1W2/spSmLEHCoipmBEvymwhdO1TE/Uk/LxCeGoX9DM8w/0dchv2oDMw8PXnSy4kfsPEOYefRxhIbK6ixVA4U/7aouPK7xf5RgBRllqrw/65CLDyDLcQ4dFvVFGCBrl397VvLq0PGo9XImOWZzgCpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AJoT9RmVKCIBJsYu/ea+Jr3ra3c//TOP1mrdek3EglQ=; b=Cxf0U+t/e/TyjVQC/TOW6b/Dk1tOtqodkcQZvGFcPgh5cP9yokah8tbk/p00MsWSMSiBIjZdblDTYmUT+KVurjsJJziPRlsB0mWgvd3+Dfvx8ryePhaxrFn1YBkrucwfRG+PjPjWLWxS+QBbRdizB5TKBXCTTN8WqmnpMI9ONLOayA9TqptqOG58Gk0x2sboIZENacWP55nXMp/SIeNXIkFekjyu6uQqF84cJdPY/K5CD2wK2tPOROmFf/N+sGOWxxbnBit7LlIs/ox5qyaubciwUzFmSGfsb37bvmqDBT20rR4GC2klUtte1gQK96B2cUYx/nPX+DbQeSDH3bxPVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AJoT9RmVKCIBJsYu/ea+Jr3ra3c//TOP1mrdek3EglQ=; b=TRwPGZyBGs9rGKM5lref4qB7y+WC1Wl9bllMdu1B9AYyPtYqJqZ92/rTXsklvNtrNSu2oDJNwHgTj52rfOWMdbj5quhZLK/kduJxSCJUtj+mSlp2lLyPMgsFpksW+ZtfLfn7GDOm3RiE6sp8Fq6X5OsAFvNMbWCZ2ZIwi8kCOzc=
Received: from DM6PR11MB3995.namprd11.prod.outlook.com (10.255.61.204) by DM6PR11MB4042.namprd11.prod.outlook.com (20.176.126.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Wed, 8 Jan 2020 10:00:26 +0000
Received: from DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5]) by DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5%7]) with mapi id 15.20.2623.008; Wed, 8 Jan 2020 10:00:25 +0000
From: "Eliot Lear (elear)" <elear@cisco.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Alan DeKok <aland@deployingradius.com>, "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Thread-Index: AdWxNKzqTmo8NKHtQwSIp+NEgFXHNACbMPUABHRvF7QAAZ7ogAABuFUAAAClZwAAAxLIAAACFEUAAAKfAIAACUx2AAAM8UWAAAPQxgA=
Date: Wed, 08 Jan 2020 10:00:25 +0000
Message-ID: <5F6DD581-21D6-4304-824E-4846CA3BC335@cisco.com>
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com> <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com> <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com>
In-Reply-To: <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=elear@cisco.com;
x-originating-ip: [2001:420:c0c0:1006::184]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 10905223-fa24-497d-ab7e-08d794219571
x-ms-traffictypediagnostic: DM6PR11MB4042:
x-microsoft-antispam-prvs: <DM6PR11MB40424E697C11A932812E5C53BF3E0@DM6PR11MB4042.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(136003)(346002)(39860400002)(376002)(199004)(189003)(91956017)(4326008)(6916009)(2616005)(6512007)(66446008)(64756008)(6486002)(86362001)(76116006)(66476007)(66946007)(66556008)(4744005)(5660300002)(478600001)(54906003)(8676002)(316002)(81166006)(8936002)(71200400001)(2906002)(6506007)(81156014)(36756003)(186003)(33656002)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB4042; H:DM6PR11MB3995.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TLMl5omEARbr9hdRqhJgPD8lwykSZ0+Iv+7iY0Ve/IZE1DhTtH+XbB3fnUoJE8GZ5aLiaIwd1IvMO9dzitoOOnAbmVHVJKKxk9zVDNAJj90l00u5iqMIlMtguV8yfmKncO6MlgHDjPNdlA5JWKFCyClOBhLHfxwILCqmCt+qfLkLHDTYPdCICnp2OcgjnOQNUoJOYibBh2TGwXQJkKw0eeV0VO40qgkBV329tLttOzGHc+7d+hIhb+soYVwHcwnhKafsQC1/LlB/26s8m9a3PHVBzdcBM7dQei8dXPTVoiSmeFD3jF/vtP/E7s6S2Jq+OJJDPnt4IAfpIbgOxnj7FghrI28FdkLFv3NY0Y1ax7bAUy5ehZB+nzLGZ+Y0KLNLYECKDiUCryofgB1pTZJtSleY8yoaVNLYLCNdWgtOS6I7r8wmrsneG7Wg5mNs2aSW
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_5F6DD58121D64304824E4846CA3BC335ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 10905223-fa24-497d-ab7e-08d794219571
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2020 10:00:25.6591 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /3AuRP2hR126N2dYfC+03qyPn/4pJBflv37sLvTQ5GHfSIkq3bz23Pl0XkpGoMB2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4042
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/1tTbcHStue1fZ98p1uTCYXMOO3M>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 10:00:37 -0000

Hi Ryan,

This topic seems like a good one to just get on the phone and sort through, but I have one question:

On 8 Jan 2020, at 09:11, Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>> wrote:

However, if using the same set or CAs that popular OSes use for TLS, it does mean that these CAs, and their customers, will still be subject to the same agility requirements, and limited to the same profile as TLS. Because of this, there’s ample reason to split further into the dedicated hierarchy and dedicated EKU.

Is there an example of a non-EAP use where splitting into a new hierarchy has actually succeeded?

Eliot

v2.23.0 | Report a Bug | By Email