Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
"Cappalli, Tim (Aruba)" <timc@hpe.com> Tue, 12 November 2019 23:59 UTC
Return-Path: <prvs=02193b47f3=timc@hpe.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA7591200D8 for <emu@ietfa.amsl.com>; Tue, 12 Nov 2019 15:59:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4oZlcGCgWrdV for <emu@ietfa.amsl.com>; Tue, 12 Nov 2019 15:59:31 -0800 (PST)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C44F120044 for <emu@ietf.org>; Tue, 12 Nov 2019 15:59:31 -0800 (PST)
Received: from pps.filterd (m0134420.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xACNVoAo027804; Tue, 12 Nov 2019 23:59:20 GMT
Received: from g4t3426.houston.hpe.com (g4t3426.houston.hpe.com [15.241.140.75]) by mx0b-002e3701.pphosted.com with ESMTP id 2w7u7tn23e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Nov 2019 23:59:20 +0000
Received: from G1W8106.americas.hpqcorp.net (g1w8106.austin.hp.com [16.193.72.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g4t3426.houston.hpe.com (Postfix) with ESMTPS id C31605A; Tue, 12 Nov 2019 23:59:19 +0000 (UTC)
Received: from G9W8672.americas.hpqcorp.net (16.220.49.31) by G1W8106.americas.hpqcorp.net (16.193.72.61) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 12 Nov 2019 23:59:19 +0000
Received: from G2W6311.americas.hpqcorp.net (16.197.64.53) by G9W8672.americas.hpqcorp.net (16.220.49.31) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 12 Nov 2019 23:59:19 +0000
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (15.241.52.10) by G2W6311.americas.hpqcorp.net (16.197.64.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Tue, 12 Nov 2019 23:59:19 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K7yo3IL7+95JqH34GSKoVHkvCxK08DyeJlNbWJYM6xlax/CcQ7Csy9eMg7DvZ4JyXc47PwlhC/0Y6uaHJV0UrbgkY9mAHs2IA4LHl806mB2WrswEs1ElQr5oA61ldvJBRZtPwa9DHTDKHNYsOKpcmSlsNF98YrMPR8m7spknP6Y5BaTuJdXK5S2VsNkPQhto8RrA8Kvs1lR4N8Ta5vsbBOCe2Qvw96OJThpNJimK7XoohnjrZrw8L0ewMXUvTwVpCcCcFfqEVqkjxFmxe+bjG8nDhmFMBYNpQ9yEY0hDdkkkjnM3FxkQ7moLhdFPvvY5wphMzvj+s7ZI8OSlByyDNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TlJqRQ4H8TcsvewtgCNYzfFjD5vqnjJJJSxkgrrLd6E=; b=WSYCUaXM5tNGVKLlVBdW31qY8m4h7vNNtHvmF3MR6HDgkmN1FW6CE/ZKn8oH3V9ZN//yUTap1WeBYMWiq6aylq8OklUenpcKzAVbil2j6ezRSbgZuuqcH0i/yODGeJTIaqZb0+ITUe6+qIw25qMBuTYk5Y6vrOg8LVgIdDsyAMpVQ2nm1PcZor//A7+W0Fpd/Uqki+iD4iY/Yw99jjk6sv68S3DzZDKHVbTMZxJhuNluxOUeaESIg2wm3tFJSoH56RBW09HupW5S4+2vwbxPpswCX4lMLBfCTuOiF6PYVUVfAUs8R844r8keRt7u7UqR/HgGv/MfUO3HBt4TKhJPGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB0818.NAMPRD84.PROD.OUTLOOK.COM (10.169.5.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.24; Tue, 12 Nov 2019 23:59:17 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110%11]) with mapi id 15.20.2451.023; Tue, 12 Nov 2019 23:59:17 +0000
From: "Cappalli, Tim (Aruba)" <timc@hpe.com>
To: Alan DeKok <aland@deployingradius.com>
CC: Russ Housley <housley@vigilsec.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPZhfnuWeQf7E22nSLDCx/SnqeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAONLAIAAkMYAgACT34CAADkvgIAAAW7igAA6EQCAAAU2/A==
Date: Tue, 12 Nov 2019 23:59:17 +0000
Message-ID: <98294862-6601-4479-9690-ad04f62f2d8d@hpe.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com> <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com> <AT5PR8401MB05309002D11E8AEF1018D250DB770@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>, <9907D136-C262-48BC-8630-0EABC0EB97F5@deployingradius.com>
In-Reply-To: <9907D136-C262-48BC-8630-0EABC0EB97F5@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [144.121.28.38]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 7932f98d-2b0a-4143-49aa-08d767cc53eb
x-ms-traffictypediagnostic: AT5PR8401MB0818:
x-microsoft-antispam-prvs: <AT5PR8401MB08181ED89A7A711C4178994BDB770@AT5PR8401MB0818.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 021975AE46
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(376002)(346002)(136003)(39860400002)(189003)(199004)(71190400001)(66946007)(76176011)(26005)(476003)(66446008)(14444005)(25786009)(66556008)(446003)(486006)(11346002)(91956017)(64756008)(54906003)(256004)(66476007)(2616005)(31696002)(71200400001)(86362001)(14454004)(6916009)(7736002)(53546011)(6506007)(36756003)(99286004)(478600001)(3846002)(6116002)(6246003)(66066001)(5660300002)(8676002)(229853002)(6436002)(102836004)(81156014)(8936002)(81166006)(4326008)(2906002)(54896002)(76116006)(6512007)(6486002)(31686004)(316002)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB0818; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /5FjA3vnoGonbGbDZKO1qjW+0HDM/TQcSbF6PY7th/QzQbEo5JE4r31LQ8e5P+MLRdsH5pQVCZxqK4vrR6YjOedh8HybVh1NTeSyHXVQi6C0ZMLIgt++wozgNyKOYMLg8CSdhm7xucmbnPqrlSgN6zbUErnLcGu6GnI+qqLu4w5UnWKMLjwOPv1egZ+Zn11rqFCI8anLAmoFbjV9IbDgb7rC2KLX3sKMe2bOJqt3A5OQWLj71bWPK6aRkmuWogFvBQvt2BlMMOR64KJTas7bNXC6NV2iPSt+b3f80pCjVnSAdv9BjOtpxnMBsO3qGMp4WMFafaAgkMYd3xYqPBaQplXE4TwdQfPsyrZr3F5sbl+Xh7UlGrzlQguvRXXDMHHwUfl+R7S+OSiPUKabU4FH2P2tal2vjasDXuuhW+IHjHUgJLDHZRfR3o1JT0D9WpSZ
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_98294862660144799690ad04f62f2d8dhpecom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7932f98d-2b0a-4143-49aa-08d767cc53eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2019 23:59:17.4722 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aHzCkFvAouLlzCjw3bhQg0dBUu5isfekl9rTfcw2w749pgUE6qr8Vx0jQkIT51KJ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB0818
X-OriginatorOrg: hpe.com
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-12_09:2019-11-11,2019-11-12 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 adultscore=0 lowpriorityscore=0 mlxlogscore=530 spamscore=0 impostorscore=0 bulkscore=0 malwarescore=0 suspectscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911120201
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/2jWPXtxJQxaIhvQzZgHeclAyyfU>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 23:59:33 -0000
Regardless of validation levels, it is not possible to own an ESSID. It is possible, however, to own a domain, email address, physical address, etc. That's the difference. Putting an ESSID in a certificate is a slippery slope. I doubt any public CA or OS vendor would ever entertain this. Tim ________________________________ From: Alan DeKok <aland@deployingradius.com> Sent: Tuesday, November 12, 2019 18:40 To: Cappalli, Tim (Aruba) Cc: Russ Housley; emu@ietf.org Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) <timc@hpe.com> wrote: > > How does a public CA prove ownership of an SSID? Do public CAs *always* verify addresses and/or telephone numbers, which are normally included in certificates? Do public CAs verify that email addresses in the certificate work? Do public CAs verify that the OIDs in the certificate match the intended use-cases? Is there a global registry of SSIDs which the public CA could use to verify the SSID? To put it another way, I'm not sure why this question is being posed. Alan DeKok.
- [Emu] Idea: New X509 Extension for securing EAP-T… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok