IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

Russ Housley <housley@vigilsec.com> Sun, 10 November 2019 16:16 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390AD120170 for <emu@ietfa.amsl.com>; Sun, 10 Nov 2019 08:16:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bto5U_4x1CnE for <emu@ietfa.amsl.com>; Sun, 10 Nov 2019 08:16:17 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E878A12004C for <emu@ietf.org>; Sun, 10 Nov 2019 08:16:16 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F0A07300B0A for <emu@ietf.org>; Sun, 10 Nov 2019 11:16:14 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MHSiHvUF56jq for <emu@ietf.org>; Sun, 10 Nov 2019 11:16:13 -0500 (EST)
Received: from [5.5.33.27] (unknown [204.194.23.17]) by mail.smeinc.net (Postfix) with ESMTPSA id 49349300A30; Sun, 10 Nov 2019 11:16:13 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com>
Date: Sun, 10 Nov 2019 11:16:13 -0500
Cc: Jan-Frederik Rieckers <rieckers@uni-bremen.de>, emu@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/9CwhrQnJQTJ-j9lD9XuwFdmWg40>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2019 16:16:19 -0000

Alan:
> 
> On Nov 9, 2019, at 1:00 PM, Russ Housley <housley@vigilsec.com> wrote:
>> 
>> With a very quick skim, it appears that you are trying to do the same thing as RFC 7585.
> 
>  I think there's overlap, but it's not quite the same thing.
> 
>  Both proposals add a "known realm" as an X.509 certificate property.  They differ in their usage, and in who is checking the fields.  I'll quickly recap:
> 
>  RFC 7585 allows for RADIUS clients to dynamically discover RADIUS servers via DNS.  As a sanity check, the discovered RADIUS server should induce the "known realm" in its server certificate.  The RADIUS client verifies that the "known realm" field matches the domain it was looking for.  Note that this verification is done by a RADIUS client, and is independent of the authentication mechanism carried inside of RADIUS.  (PAP, CHAP, EAP, etc.)
> 
>  In this proposal, the supplicant is the component which is checking the "known realm" field.  The supplicant verifies that the NAI it's sending matches the "known realm" sent by the server.
> 
>  It is common practice today for server certificates to include a contact email address in the common name field.  However, there's no requirement that this is done.  No one checks the domain of that email address against the NAI being used by the supplicant.
> 
>  I think that this proposal may be useful.  Given that the parties who check this field do so for different purposes, it may be useful to have two separate OIDs.
> 
>  On the other hand, RCC 7585 uses the OID for TLS connections which then carry RADIUS packets.  This draft would use an OID for EAP-TLS authentications, which are carried inside of RADIUS, and then inside of UDP / TCP / TLS / DTLS.  The uses-cases may be different enough to warrant re-use of the same OID.

Thanks for the overview.  It was very helpful.

RFC 7586 define the NAIRealm as an otherName in the SubjectAltName of a certificate.  It seems that the NAIRealm name form works equally well, regardless of the role that the certificate holder is performing in the protocol.

Russ

v2.23.0 | Report a Bug | By Email