IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 14 November 2019 12:39 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88BF6120251 for <emu@ietfa.amsl.com>; Thu, 14 Nov 2019 04:39:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvKRsEHGeSwX for <emu@ietfa.amsl.com>; Thu, 14 Nov 2019 04:39:21 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67FB0120232 for <emu@ietf.org>; Thu, 14 Nov 2019 04:39:21 -0800 (PST)
Received: from [192.168.41.2] (unknown [49.74.66.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by tuna.sandelman.ca (Postfix) with ESMTPSA id 49C8D3818F; Thu, 14 Nov 2019 07:36:07 -0500 (EST)
To: Alan DeKok <aland@deployingradius.com>
Cc: emu@ietf.org
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com> <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com> <240b3611-706c-303f-82aa-3fc3d78b7aa3@sandelman.ca> <9AD503C8-EE44-4EEC-B87E-8BBC11EB031A@deployingradius.com>
From: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <cf106339-d9ae-4a1e-3df3-a0fd487f73c3@sandelman.ca>
Date: Thu, 14 Nov 2019 20:38:59 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <9AD503C8-EE44-4EEC-B87E-8BBC11EB031A@deployingradius.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/9c_2faFXmjdc82v80qNTCT8KbCQ>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 12:39:23 -0000


On 2019-11-14 7:59 p.m., Alan DeKok wrote:
> On Nov 13, 2019, at 6:23 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>> I think that the issue isn't, can we find or define a OID that has the
>> right semantics.
>> I think that the issue whether or not any public CAs are willing to
>> include that into a certificate.
>   That's less relevant than it may be.
>
>   The common practice for years has been to recommend self-signed or "internal" CAs.  The original reason was that supplicants didn't do certificate pinning.  So if they were configured to trust a root CA, they would send user credentials to *any* EAP authentication server which had a certificate signed by that CA.  With certificate pinning, they now warn if the server certificate changes.
>
>   The other reason is that supplicant configuration is still largely a manual process.  If admins need a complex process to configure the supplicant, then adding a self-signed CA to the mix has near-zero cost.  And supplicant vendors seem entirely disinterested in a standard way to configure them.

I understand.
If the authentication server is manually configured, then it matters not
in the last what OIDs might be in the certificate.

We believe that TEAP-BRSKI (or BRSKI-WIFI) will result in supplicants
being configured during an automated process.
This would involve getting the organizational root CA, and it could pin
the authentication server certificate, or
it could pin just a DN, TBD.  The OIDs might be be useful that point,
but I would generally find them not interesting.

v2.23.0 | Report a Bug | By Email