IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

"David B. Nelson" <d.b.nelson@comcast.net> Mon, 20 January 2020 15:13 UTC

Return-Path: <d.b.nelson@comcast.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6A112008C for <emu@ietfa.amsl.com>; Mon, 20 Jan 2020 07:13:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cF3KWavE1r1B for <emu@ietfa.amsl.com>; Mon, 20 Jan 2020 07:13:27 -0800 (PST)
Received: from resqmta-ch2-06v.sys.comcast.net (resqmta-ch2-06v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B6B812007A for <emu@ietf.org>; Mon, 20 Jan 2020 07:13:27 -0800 (PST)
Received: from resomta-ch2-19v.sys.comcast.net ([69.252.207.115]) by resqmta-ch2-06v.sys.comcast.net with ESMTP id tXaHinUCmL7xwtYk2i7gLk; Mon, 20 Jan 2020 15:13:26 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1579533206; bh=QsS3JG8v26+ST63dmFgNwesXA+I0dURoNg23HZjgkG0=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To; b=l4N1H0PGiqF1vxYjzn7kHQR2iV/Us8fXP7CEsXwTyd0ekAlvq/idGIfUTZOv7lYEf XCfUZ5qIth0Nv8G8eXWBqB+Lh4x4+KrtaEEuKLpYWybZVdYr7vfJi2u/3N1EHwdiNp lsfZbHtISdKOY1iXNvYzD5uyCx/1Keck0FMuWg9PQW2zGN4s1mHt5tKDUTVBbM+rHb 0atUindR+WNhfRUEBBUAhANDPFjw38zNGqQHb27N7TUbaCfydwPWcdmotAZSNqvjNo tgm4bEay5hJxf/vh/KKmczEGzjKJL/1yYmdILVC0ZLYWsRicsNCuRRg4XIKnF0gVZU DI1bHBRZ1jUbQ==
Received: from [IPv6:2601:187:4000:6316:719e:cb1:222b:ed6c] ([IPv6:2601:187:4000:6316:719e:cb1:222b:ed6c]) by resomta-ch2-19v.sys.comcast.net with ESMTPSA id tYk0imzc3LNectYk1i5dhh; Mon, 20 Jan 2020 15:13:25 +0000
X-Xfinity-VMeta: sc=-100.00;st=legit
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: "David B. Nelson" <d.b.nelson@comcast.net>
In-Reply-To: <CAErg=HGE-AwviP-VurLJ58vsmkK4uqVCfoqRK4TkEdbSRegN_g@mail.gmail.com>
Date: Mon, 20 Jan 2020 10:13:24 -0500
Cc: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Transfer-Encoding: quoted-printable
Message-Id: <399CEA71-241C-4E34-833F-5777051A188D@comcast.net>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com> <CAErg=HFM4=V1YjD2Z7Rd5cNsDv6v9oTwKcbaTwhDdrQvOwtS9w@mail.gmail.com> <5ED33CB8-4C56-4117-A001-C2EB056CA80B@deployingradius.com> <CAErg=HF2L-XSQExoKz71QcZMqJdA-gn3KxnZwT1qypzBA9Hi3Q@mail.gmail.com> <22430B86-2680-4E50-AF12-A200FD051E8D@deployingradius.com> <CAErg=HGE-AwviP-VurLJ58vsmkK4uqVCfoqRK4TkEdbSRegN_g@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/B77teJDxnVh9OXy077_T8iEqz58>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 15:13:32 -0000

On Jan 20, 2020, at 9:29 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> 
> I'm well aware the end goal is that on a 'stock' install of your OS of choice, everything just works. I've outlined several times a plan to get to that - and which does not involve shipping roots in the OS, but roots in the supplicant that comes with the OS. The distinction is quite meaningful for the reasons outlined throughout this thread, even if the end user experience is "it just works” 

I think the distinction you’re trying to make between the OS and supplicants is very much an “inside baseball” view.  Modern OSes rely on a number of support components to deliver core functionality.  The OS is more than the kernel, GUI, CLI and browser.  From an end user perspective, all the OS-vendor shipped support components and utilities *are* the OS.  It’s not a useful distinction from a User Experience perspective that the supplicant code is or is not written by the same company as the kernel (and I suspect often it is).  It’s shipped as part of the product.

The arguments about the differentiated policies for use of certificates and trust of CAs is probably technically sound.  I think the notion that supplicant components can ship with a separate root CA store from that used for the browser is perhaps workable.  However, it’s still the OS vendor that must include this configuration for it to “just work out o the box”.  For that reason, I think the claim that it’s not the OS which must support the appropriate CAs is a distinction without a difference, and perhaps a red herring.

Regards,

Dave Nelson

> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email