IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Alan DeKok <aland@deployingradius.com> Mon, 20 January 2020 16:29 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471BB1208E3; Mon, 20 Jan 2020 08:29:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CbcKpmOMpRk; Mon, 20 Jan 2020 08:28:57 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3449F1208DD; Mon, 20 Jan 2020 08:28:57 -0800 (PST)
Received: from [192.168.46.130] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 08C421202; Mon, 20 Jan 2020 16:28:54 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAErg=HHtQNYa-YG=jnLoHM68EUs6MwRhVEKEw_V1wsDSTA80Cg@mail.gmail.com>
Date: Mon, 20 Jan 2020 11:28:53 -0500
Cc: "David B. Nelson" <d.b.nelson@comcast.net>, Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4B3EC1F1-9CAB-4E87-8F0E-53BDCDADD096@deployingradius.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com> <CAErg=HFM4=V1YjD2Z7Rd5cNsDv6v9oTwKcbaTwhDdrQvOwtS9w@mail.gmail.com> <5ED33CB8-4C56-4117-A001-C2EB056CA80B@deployingradius.com> <CAErg=HF2L-XSQExoKz71QcZMqJdA-gn3KxnZwT1qypzBA9Hi3Q@mail.gmail.com> <22430B86-2680-4E50-AF12-A200FD051E8D@deployingradius.com> <CAErg=HGE-AwviP-VurLJ58vsmkK4uqVCfoqRK4TkEdbSRegN_g@mail.gmail.com> <399CEA71-241C-4E34-833F-5777051A188D@comcast.net> <CAErg=HHtQNYa-YG=jnLoHM68EUs6MwRhVEKEw_V1wsDSTA80Cg@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/A66sR1Vc9U8TsxHrR005b1CkiTw>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 16:29:00 -0000

On Jan 20, 2020, at 10:44 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> It’s a distinction that cuts to the heart of the original proposal, echo’d several times on this thread: Can’t we just use the TLS CAs shipped by the OS today for this, ideally so that OS vendors don’t have any added work.

  There has been consensus already that it's wrong to use the existing TLS CAs

> In that context, it’s essential to make the distinction that while the end-user experience is indistinguishable, the engineering involved - and the work of standards here - is meaningfully different. If we conflate the two or think “let’s just use what we have”, then the world of zero touch will not happen. That’s why it’s essential to focus on the notion of defining a new root store, one that doesn’t have to be generally available to software running on that OS, limited for a particular purpose, so that we can enumerate the necessary profiles and practices.

  I agree.

> It’s also essential to understanding that this solution isn’t gated on a first-mover problem, as had also been suggested, where everything is doomed unless and until the OS moves. There’s considerable work that can - and should - be done, which makes it easier to bring about the second solution (“zero-touch”), by making sure that the first problem (“what SHOULD you do”) adequately focuses on making a transition possible.

  I don't think "doomed".  I think *required*.  i.e. the end goal *is* to have it "just work" out of the box.

  I think we may be arguing semantics, and avoiding some common points.

  I *do* agree that we can define new CAs just for EAP today.  I do agree that these CAs can be used by supplicants that exist today, via manual configuration.

  However, I do also believe that we will not get new behaviour without changing the supplicant implementations.  So the intermediate step of just using a "new CA" has near-zero benefits to the end user.

  And, if the new CA must be configured manually, then that step is no different than what we have today.  Which means that this intermediate step further has near-zero benefits.

  That's why I'm focussed on the end goal: updating the root CAs *and* supplicant implementations at the same time.  And, making sure that all of these updates ship with the product that the consumer buys.  The intermediate steps gain nothing.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email