IETF Logo Mail Archive

Re: [Emu] Best practices for supplicants and authenticators

"Cappalli, Tim (Aruba)" <timc@hpe.com> Mon, 18 November 2019 15:37 UTC

Return-Path: <prvs=022527b33b=timc@hpe.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454D41209EB for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:37:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dk34HOc5O9Fh for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:37:22 -0800 (PST)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3275C1209F9 for <emu@ietf.org>; Mon, 18 Nov 2019 07:37:15 -0800 (PST)
Received: from pps.filterd (m0150244.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAIFSN5t014681; Mon, 18 Nov 2019 15:37:07 GMT
Received: from g4t3427.houston.hpe.com (g4t3427.houston.hpe.com [15.241.140.73]) by mx0b-002e3701.pphosted.com with ESMTP id 2wbrs7ttq6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Nov 2019 15:37:07 +0000
Received: from G9W9209.americas.hpqcorp.net (g9w9209.houston.hpecorp.net [16.220.66.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g4t3427.houston.hpe.com (Postfix) with ESMTPS id F29C06F; Mon, 18 Nov 2019 15:37:06 +0000 (UTC)
Received: from G9W9210.americas.hpqcorp.net (2002:10dc:429b::10dc:429b) by G9W9209.americas.hpqcorp.net (2002:10dc:429c::10dc:429c) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 15:37:06 +0000
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (15.241.52.11) by G9W9210.americas.hpqcorp.net (16.220.66.155) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 18 Nov 2019 15:37:06 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b8CRc/EQga6iBUcakGUa8V1s1haTMk+nSntk//ASdanW2fq/uFroQQGPAifzP6/etQlPuI5evB4H4f2I1IPS4QxP3FHFkpwPvwokcvbWm3xHTQC5IVIoQLBnVmXW1GfP3z06O87XwSI3sJ5NOnjdEVnr867GHjLyyC4vSn69ch3hjfXg/LjQfJet2HxovuW9YY7O4CuzBVce89ELpT6P7q/PycVaNlNtxnWC2HeSJZ1iAzWCmheF1SBjvOvFmclsa5lS++f6NJTSDFdyK4S44KpsR8Hja8wD1p2RISQgApPoINKcSjiwyhwx/bdidbsD3Eu6Qhn4U/IWS53cLPMhaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6FYubJ4ax+hryKnodmeSmETsjhnXlc5v/pYX3GNlqzc=; b=b1ofpSNwHWwtSO9hsngyknU2aaSBwL8P45i2lhknL6kQIZQCcuOOUSKbEJ8qBja0l5RHkaEhAEKEhu4UR2Um0kMtTTbTCgv7jn6xknUVgulZq0x6Io0uHA9YYYxNwWLm5bYpppn2V3HgWuc7FABiv34l+ZnDmssdyTwMCKdyBYmVrZ83t2jfNH9SUEtaTJaQCuvgeKDXICh30sEF7t+2op++D0rQ0nDeZdNU3im78fGlbRkwETBsrmDJQy5rQiNuNSJdpXoNQsyOuO5kgncswWVkzcNu5NoJtyLkbIYDL3mscVskBBF579+WhchUr5D6jujwNUzitraDN5PrmSuG0Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB0564.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.28; Mon, 18 Nov 2019 15:37:05 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110%11]) with mapi id 15.20.2451.029; Mon, 18 Nov 2019 15:37:05 +0000
From: "Cappalli, Tim (Aruba)" <timc@hpe.com>
To: Alan DeKok <aland@deployingradius.com>
CC: EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Best practices for supplicants and authenticators
Thread-Index: AQHVnhsKV+GRtV0vSkCNpQk4qcIR6KeRC18/gAADwICAAABZaw==
Date: Mon, 18 Nov 2019 15:37:05 +0000
Message-ID: <AT5PR8401MB05309AD8F339DF5B6BD2E993DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
References: <526166D8-80B9-4356-84D9-52ACD49E004B@deployingradius.com> <AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>, <D3569D77-A2AB-4FEE-BF2A-1AAAFCB9D3D6@deployingradius.com>
In-Reply-To: <D3569D77-A2AB-4FEE-BF2A-1AAAFCB9D3D6@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:470:88f7:1621:610c:c87:2f84:f471]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 303e0526-6989-4165-d102-08d76c3d2a6c
x-ms-traffictypediagnostic: AT5PR8401MB0564:
x-microsoft-antispam-prvs: <AT5PR8401MB0564AE48D7B32668F2AA3365DB4D0@AT5PR8401MB0564.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(346002)(376002)(366004)(396003)(189003)(199004)(51444003)(102836004)(64756008)(66476007)(46003)(476003)(316002)(11346002)(4326008)(486006)(446003)(7736002)(33656002)(74316002)(229853002)(81156014)(7696005)(81166006)(5660300002)(76176011)(8676002)(478600001)(86362001)(256004)(8936002)(186003)(6246003)(6436002)(14454004)(25786009)(6116002)(52536014)(99286004)(66946007)(55016002)(53546011)(66556008)(66446008)(6506007)(71200400001)(54896002)(6306002)(76116006)(71190400001)(2906002)(91956017)(6916009)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB0564; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oXN9o0tHKy93s0edmpoD/LnLG/TXftFtJAr4Fdz+k1NXtv61EetwbpwEcuD4VIUvauXMNV0CPopDvQzz/GYXEq6qD3TzGXlZ/nwzgyfvseI8TExcUSsvKdphpsjKsfgnZEwV1L7NZyuLbu3VFhtGEsAqLdmC2N8EBS4VFrtLBIjuhy7NxwNSNQI0YSZNlL3SO8SxX4o5kl5gtsJazUFUIiXd5c1gE4bkbJWGZk3orxU1TuuWw339udXILHbCqpTamSQu75TqDY1O4dPoO2sZAW/NAa3e4f2TbeL+EQZtBdPn3hODlKDQoziB4AYUb9jckhQQKQ/LQ9ypmFGN/EBirzePg+ylr3k7VEohiQaQS4aWiVkj5DNzNS4ZkffXAGIIKr6lxiblJvXczw1exuNyV5g4aKd0xBJKNdOe3Nuv6it+5D4ebR9hScl9gNo5nA+D
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AT5PR8401MB05309AD8F339DF5B6BD2E993DB4D0AT5PR8401MB0530_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 303e0526-6989-4165-d102-08d76c3d2a6c
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 15:37:05.6194 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XE5spkItVe8uyItZct6KS9tFQ1qVURAeJsF0JnTJZbYGYVjUB4sASNVef1tjNmJe
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB0564
X-OriginatorOrg: hpe.com
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-18_04:2019-11-15,2019-11-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 suspectscore=0 adultscore=0 impostorscore=0 mlxlogscore=316 malwarescore=0 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911180141
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/4pff8LXs3lMIcsXHy_PxPJGN_uc>
Subject: Re: [Emu] Best practices for supplicants and authenticators
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 15:37:26 -0000

If the goal is not to improve identity assurance of an EAP server then what is this best practice change actually for?



From: Alan DeKok <aland@deployingradius.com>
Date: Monday, November 18, 2019 at 10:34 AM
To: Cappalli, Tim (Aruba) <timc@hpe.com>
Cc: EMU WG <emu@ietf.org>
Subject: Re: [Emu] Best practices for supplicants and authenticators


> On Nov 18, 2019, at 10:22 AM, Cappalli, Tim (Aruba) <timc@hpe.com> wrote:
>
> So again, if NAIRealm is not bound to an organization’s public domain name,

  I never suggested that or implied it.  I'm not sure why it's relevant.

> how does a public CA prove ownership of an NAIRealm? How is this different than ESSID?

  I had hoped that my point was clear.

  The requirement would be for the NAIReam to be in the same domain as rest of the certificate.  Anything else makes zero sense.

  i.e. if the certificate is from "example.org", then the NAIRealm should be "example.org", or any other name within that domain.  Such as "radius.example.org"

> I don’t see how this improves assurance of a server identity.

  No one proposed the position you're opposing, so the conclusion above is irrelevant.

  On the other hand, if the requirement is that the NAIRealm be the domain name, then it makes perfect sense, and it's useful.

  We can't use existing fields to derive the NAIRealm.  The common name is typically an email address and *not* a domain name.   The various DNS fields are DNS host names (FQDNs), and not domain names.  We can *suggest* that supplicants can check these fields.  But it involves parsing them, and deriving *implicit* meaning from them.

  In contrast, an NAIRealm field is *explicit* meaning, that doesn't require additional derivation.

  I think that explicit statements of intent are useful.  I don't see why there's any controversy about this.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email