IETF Logo Mail Archive

Re: [Emu] EAP/EMU recommendations for client cert validation logic

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 17 December 2019 18:52 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB2B1208C1; Tue, 17 Dec 2019 10:52:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IMr0vevHG8c; Tue, 17 Dec 2019 10:52:13 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41E69120870; Tue, 17 Dec 2019 10:51:11 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CD1BA38981; Tue, 17 Dec 2019 13:51:06 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B4BD2D36; Tue, 17 Dec 2019 13:51:09 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
In-Reply-To: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 17 Dec 2019 13:51:09 -0500
Message-ID: <6719.1576608669@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/7pr-nb1HaHr75S3F1DxRJvX9m1w>
Subject: Re: [Emu] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2019 18:52:17 -0000

Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    > “Background:

    > a) the current practice in TLS-based EAP methods is to use certificates with
    > "id-kp-serverAuth" OID set for Extended Key Usage.

    > b) many supplicants check for this OID, and refuse to perform authentication
    > if it is missing

    > c) supplicants do not check DNS names or any other field in the certificates

    > d) as a result of this lack of verification, supplicants ship with all known
    > CAs disabled for TLS-based EAP methods”

    > The key consideration is that RFCs that recommend cert fields for EAP servers
    > that clients should check for are not currently issued by public CAs, and in
    > some instances (e.g. SSID) ownership can often not be proven by CAs.

    > For example:

    > https://tools.ietf.org/html/rfc4334#section-2 id-kp-eapOverLAN EKU

    > https://tools.ietf.org/html/rfc4334#section-3 id-pe-wlanSSID

    > https://tools.ietf.org/html/rfc7585#section-2.2 NAIRealm

    > If an EAP server operator wants to use a public CA identity cert on their EAP
    > server, what recommendations should we give to EAP clients so that the
    > supplicant code can handle public or private CA issued EAP server identity in
    > a secure a fashion as possible?

    > If at some point in the future, public CAs are willing to issue certs with
    > some or all of the above fields, then what is the migration plan, what do we
    > tell EAP clients to do now, and how to they migrate their verification
    > logic?

I think that this is a really big if.
So, I want to change the question, which I think can make this problem a lot
easier to get traction on.

} If at some point in the future, there is one or more well-known trust
} anchors that (IoT?) devices can build in, and these CAs are willing to issue
} certs with some or all of the above fields, can we design a transition
} process from one-touch provisioned private CAs to a common DN+extension
} based common anchor?

    > The ideal experience would be along these lines for a client with real user
    > interactions:

    1> - client connects to an EAP server
    2> - client prompts user for userId + realm and password
    3> - client verifies server cert has id-kp-eapOverLAN set
    4> - NAIRealm in cert matches user’s realm
    5> - verify the cert signing chain

<2> and <3> seem in the wrong order.
If the certificate has NAIRealm, why would we need to ask the user for the
realm?  Wouldn't we instead ask them: "What is your userID in REALM FOO"

    > The reality today is that if the server cert is issued by a public CA, then
    > all that client can really check is:

    1> - id-kp-serverAuth is set
    2> - dNSName in cert matches user’s realm
    3> - verify the cert signing chain

I think that <3> happens first, and the connection is dropped if it does not
validate.  Maybe you aren't expressing an order here at all.

    > It seems like logic should be something like:

    > - recommend EAP operators with private CA issued certs on their EAP servers
    > set id-kp-eapOverLAN and NAIRealm set
    > - recommend EAP operators using public CAs get EAP server certs with
    > id-kp-serverAuth and dNSName set
    > - recommend clients enable trust in public CAs
    > - recommend clients implement different cert verification logic depending on
    > whether the EAP server cert is issued by a public CA or private CA

Would setting dNSNAME on private CA issued certs reduce complexity?

    > - as a longer term goal see if public CAs will issue id-kp-eapOverLAN and
    > NAIRealm. Although of course if some were to start doing this, then there is
    > a migration challenge, and clients cannot make a hard check for these values
    > against all public CAs. This doesn’t really seem practical in the near term
    > at all.

Trust NAIRealm extension only if id-kp-eapOverLAN is set.
having implemented the dNSNAME code path, it seems like there is no point in
implementing the other path.

    > Note that for an IoT device, there is some work to do to define how to e.g.
    > extend the RFC8366 so that it can specify the dNSName that devices should
    > check for when verifying EAP identity where they EAP server uses a public CA.
    > Some related options are outlined in
    > https://tools.ietf.org/html/draft-friel-anima-brski-cloud-01.

Owen and I have wrangled about the topic of how exactly the pinning is done.
The above document does not really outline the problem space in my opinion,
focusing on other dimensions of the process.

The requirements that Owen has expressed to me are:
  1) 8366bis must be able to pin CA + DN/SAN, such that the operator can rotate their
     public key without invalidating the voucher. (possibly including
     changing public key algorithm)

  2) 8366bis must be able to pin (?-public key), such that the operator can
     switch (public) CAs without invalidating the voucher.

There might be a (3) that I can't think of right now.

But, if these two requirements seem to contradict each other, then high-five
to you, you were paying attention :-)

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email