IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

"Owen Friel (ofriel)" <ofriel@cisco.com> Sat, 16 November 2019 14:48 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12EA120164 for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 06:48:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=nFam95Up; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=tEeh8uw0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NajnDV8oW5u for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 06:48:01 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C984F12012D for <emu@ietf.org>; Sat, 16 Nov 2019 06:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1628; q=dns/txt; s=iport; t=1573915681; x=1575125281; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=d52DAYFC++OOkKZku2TfuDuOThO6FJo104K3VE8nEkM=; b=nFam95UpwegGfe2rxtCWHcXT3Se7xcgwdPaZnhweExHFmdne7Jry62Wo 9mm/oRs8GIiFORAwD0+Zi5bYM0ZBIuEfZEYFONt7eRAwBnrCBBSJ8c8pf b7JnpC1FxUxA9xB3IJncUmpHiPF4lK9vEAu/AY/eaaFH2FXd5aiz5qN6A 8=;
IronPort-PHdr: 9a23:QpSWRBDRmUoL/hMJ+hVfUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuK/DwbiE+NM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CvAAB7C9Bd/4QNJK1bCRoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBfoFLUAWBRCAECyoKh2UDinKCXpgAglIDVAkBAQEMAQEtAgEBhEACgiMkOBMCAwsBAQQBAQECAQUEbYU3DIVRAQEBAQMSKAYBATcBCwQCAQgRBAEBAR4QMh0IAgQOBQgahUcDLgECpCUCgTiIYIIngn4BAQWFHRiCFwmBNowVGIFAP4FXgh4uPoQbFBiDQIIsnyCPDQqCKpVqmhGoUAIEAgQFAg4BAQWBaSKBWHAVgydQERSRGoNzilN0gSiPDwGBDgEB
X-IronPort-AV: E=Sophos;i="5.68,312,1569283200"; d="scan'208";a="577996908"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Nov 2019 14:47:59 +0000
Received: from XCH-RCD-020.cisco.com (xch-rcd-020.cisco.com [173.37.102.30]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id xAGElxDG007849 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 16 Nov 2019 14:47:59 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-020.cisco.com (173.37.102.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 08:47:59 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 08:47:58 -0600
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 16 Nov 2019 09:47:58 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nvjOKBvjcruNiJObFFOrYPbxx8Amdq96dUKf8+CVe6krmGJLIwFWzElNibCk9Vs/AJRL1pNSzem6DGTN/W5f3rrypj5Duuxj730P5awTVv8IcgNnI+hrqzrDRBeksdQGdj12m3XPqOVlKe00DTLdBtXGdfxCiMpyNk721YpM5WJexHEXGbTyUycw5rJ/Z2ahdL7guTHjIVI6XfU0tsQMVZ7dIRcaaOpuFZI25FZSPmJ98hedpiyCRHeRt6sh8PwH/xTCRO4wW9XC/5rRALa75m6G6VVWngmZezSJrd/gfC8P498kdH68WYEhYwUKd0zuDFj5AQxPaSBChSSskHlRtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1vZwOJbmINKiGx2KPNgcrEoVErYOIi+VQHZqbUOsTeQ=; b=VStbzwnWQqUjad/QcsMc+vyY7z3S/VvBNsJPjGSdt2W5e457DWlwjZsvQgrnADBaRe/OOY8ZKKY5ZJtABrXfUv+IsTBsR9srMuTJweRL6t/+8nGELqO7lCuramiemzKrL7XxU1HndbvCvB9A64pvGUkdtGP5QbLK46Egyt1rrtvhjJpi4LFjhkMkeZi3WOo2jYiEQ/gOud9vpJr5TBDRDELZSRHtrQ5r0reoKSMNmXaN/YOjZRfKyRvF6roDF5ORnBOraadwMjD+msE3CdcHzFd12YZa6EFiceRJxK8qIH2BlLP8sdZxDvw6+a7uvHoCnCTnMQLEzQR9mLTGXbwR4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1vZwOJbmINKiGx2KPNgcrEoVErYOIi+VQHZqbUOsTeQ=; b=tEeh8uw045E2vmwiRt8OF1rhlocJ+CXoUdldpX+EEk9xDODBC1M9J2KUnW9dYWldXsLPNfjjRA/wjeEL/82YQ707uwRC9qhDEAuAbi3tAIzOC/1t1aSnzkG+PcflyDik3iEhgbx6kJLBBYf6Rsy6gzQZZUT6rxzB6hPJ44rWcJw=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3551.namprd11.prod.outlook.com (20.178.250.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Sat, 16 Nov 2019 14:47:57 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2451.029; Sat, 16 Nov 2019 14:47:57 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Alan DeKok <aland@deployingradius.com>
CC: Jan-Frederik Rieckers <rieckers@uni-bremen.de>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPeAysQlGUpTU6o3aUNy73n/aeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAOEToIAAkv4AgACQzoCABgY2YIAAIJ+AgAACwyA=
Date: Sat, 16 Nov 2019 14:47:57 +0000
Message-ID: <MN2PR11MB3901B314870FEA2B3D534FF5DB730@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <58473B30-802F-469A-8967-CE90316974E7@deployingradius.com> <MN2PR11MB39013A3A444461A78C42DE19DB730@MN2PR11MB3901.namprd11.prod.outlook.com> <C8F65B52-FDEA-44EB-8ADA-CB88F1D9E3A6@deployingradius.com>
In-Reply-To: <C8F65B52-FDEA-44EB-8ADA-CB88F1D9E3A6@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [38.98.37.142]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ac72944a-4029-459a-df36-08d76aa3f84a
x-ms-traffictypediagnostic: MN2PR11MB3551:
x-microsoft-antispam-prvs: <MN2PR11MB35517C2309138164D549982EDB730@MN2PR11MB3551.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 02234DBFF6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(39860400002)(376002)(396003)(346002)(366004)(13464003)(199004)(189003)(6506007)(74316002)(6436002)(6916009)(26005)(6116002)(11346002)(25786009)(99286004)(446003)(8936002)(9686003)(66066001)(476003)(6246003)(81166006)(81156014)(486006)(55016002)(4326008)(5660300002)(7736002)(86362001)(305945005)(66574012)(14454004)(52536014)(7696005)(76176011)(316002)(2906002)(186003)(8676002)(33656002)(102836004)(71190400001)(71200400001)(256004)(76116006)(229853002)(66556008)(64756008)(66446008)(66476007)(478600001)(66946007)(53546011)(54906003)(3846002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3551; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /aFNdJBs2s9QEOCcITRfyP8NbPst206EpUh2UadZoR+KQCXGxhrfeQpxhMEFkejOFztrs+eReXRQ+Qp4XfmeIm38RLEYfO+yTPBR8UCcSbippb4GNYqBhDGJXwodhkIJkmfvlKmBfTTWNaDRpC/cWjfFZPoyaeJQT/sQF2C8UBIh/Fxbl5JB1KgarQglPGFLQKIuhQHMYbHCL8Dwkd8fXSuCQlEX7BfsO0u9YrwX/GvByZ7S+0D1O6bUiD0+af3Ha0HqFcrxszR011nRnvnucUIfFWVlBwq9W4f+Jd6OvhvAKLwGL0jFLc+MrP9/vu6HD+RU/IEz5vkATKvY/ysiZ1Gm1PcIra1bhDvCzYB3bRrGRoYIxSegf+zW90GN8xnPtbaU7P09mDZUYNus87fZwywY0axqGTZGxpbMMYmFzG6Tt4vcqZ0diTOCPhit8WFK
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ac72944a-4029-459a-df36-08d76aa3f84a
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2019 14:47:57.2425 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YTJKDCAr4biWljBw7E6AHr8G/OcSGy3izavgPkF04uPT9lx+vOzHCRKEw4KwsnaxtOVdg2wJ31urtJJRRrGrZg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3551
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.30, xch-rcd-020.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/2DGxz7J2rkKumJ0JcBKwqqMXUsE>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 14:48:04 -0000


-----Original Message-----
From: Alan DeKok <aland@deployingradius.com> 
Sent: 16 November 2019 14:29
To: Owen Friel (ofriel) <ofriel@cisco.com>
Cc: Jan-Frederik Rieckers <rieckers@uni-bremen.de>; emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

On Nov 16, 2019, at 7:59 AM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> [ofriel] this seems like something reasonable, but that's more a general deployment recommendation: ensure that the identity/realm of EAP servers is different from the identity/domain of webservers within an org. Therefore in the absence of an NAIRealm or id-kp-eapOverLAN extension in a cert,  clients can still distinguish between the two. Users point their Browser clients point to 'example.org' and wi-fi supplications are configured to look for 'radius.exampe.org'.
> 
> The supplicant logic for verifying EAP server identity (assuming it already knows the root CA and a realm/domain string) could be check for NAIRealm first, then check for id-kp-eapOverLAN, then check for a dnsName.

  There is currently no document which offers guidance for implementors.  There's just common practice, and various standards.  Which are unfortunately different.  Even worse, it's not clear how these practices interact, or how we should migrate from existing practice to using the standards.

  I think it would be useful for this WG to have a document which gives these guidelines.

[ofriel] Happy to help put a strawman for that together, along with some recommendations for the other PSK ambiguity.

  Aln DeKok.

v2.23.0 | Report a Bug | By Email