Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 19 January 2020 16:22 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D741200D5; Sun, 19 Jan 2020 08:22:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHyuTqDpFdDV; Sun, 19 Jan 2020 08:22:01 -0800 (PST)
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D3CA120013; Sun, 19 Jan 2020 08:22:00 -0800 (PST)
Received: by mail-ed1-f43.google.com with SMTP id m8so27156051edi.13; Sun, 19 Jan 2020 08:22:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UtpS7eZBoVG3V5c/Iv5wJzEk/MlTXY3XJNqbjQPfqkQ=; b=iDIoxeemtWOyL/mxCbJBzfm6J5Yo/3hGFG2f6mMI17HbmWw7xmc5iuTg5AVaaltWiJ ZSxWSTTgoXteKxNJVoSVLtoyBcP90lutKIspkEMEp0HAPlGGNSmVvrUrbtbE3QMtlG1D 2um+1hWQ5awn8y6rjiF+g2ESIjjH85Z2cSeoUKeFeOWltpvK9TZ8fbH269O6AUYManlr WtEqG8XcBBOJTQw9ifKMoCoS5OeAtmTXvsqJ9S7HyFQ/3D2x9awtauDKaVx5R4YqBJzw uyBJmqb6QC0N+fOINUowsMgNa8EGPcW1j05a5+0YXIBKOmTeGU3mF+R+SehR72zkJD+b F2bw==
X-Gm-Message-State: APjAAAWCwBHbKguHJhV8RBNkbsr4XibzeqtX+VJIUQbrE1Z/sihhJYs3 o5ylGvgzytWdnIGZGTbft0Zb6iFe
X-Google-Smtp-Source: APXvYqyt5EEn/VJ4smd5m2LopgjEljf7o/R+2UuGZTY8R0AmF8q2bqghZQAmq7xcjQtn0b8MX5YXLw==
X-Received: by 2002:a05:6402:3132:: with SMTP id dd18mr13926153edb.118.1579450918673; Sun, 19 Jan 2020 08:21:58 -0800 (PST)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com. [209.85.128.42]) by smtp.gmail.com with ESMTPSA id l26sm965624ejr.23.2020.01.19.08.21.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 19 Jan 2020 08:21:58 -0800 (PST)
Received: by mail-wm1-f42.google.com with SMTP id p17so12298531wma.1; Sun, 19 Jan 2020 08:21:58 -0800 (PST)
X-Received: by 2002:a7b:c775:: with SMTP id x21mr14855641wmk.59.1579450917841; Sun, 19 Jan 2020 08:21:57 -0800 (PST)
MIME-Version: 1.0
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com>
In-Reply-To: <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sun, 19 Jan 2020 10:54:35 -0500
X-Gmail-Original-Message-ID: <CAErg=HFM4=V1YjD2Z7Rd5cNsDv6v9oTwKcbaTwhDdrQvOwtS9w@mail.gmail.com>
Message-ID: <CAErg=HFM4=V1YjD2Z7Rd5cNsDv6v9oTwKcbaTwhDdrQvOwtS9w@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Joseph Salowey <joe@salowey.net>, Michael Richardson <mcr+ietf@sandelman.ca>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e5efd6059c809206"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/CZ13AS4Pga1EJL2GW-2MYMMcFcQ>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jan 2020 16:22:03 -0000
I think we’re in more agreement than disagreement here, but I think part of your analysis missed the mark. On Sun, Jan 19, 2020 at 10:07 AM Alan DeKok <aland@deployingradius.com> wrote: > The question here is *what* root store? It's easy for browsers to ship > root stores. The WWW root stores are well known. > > What root store is already widely known, and trusted for EAP? There isn’t one today, which is exactly why you have no need to use anything existing. You define your certificate profile. You define your certificate policies - what information they validate and how they validate. The root store is the result of defining those two, and then allowing CAs interested in that set to apply and be evaluated against that. There’s nothing extant, as we’ve agreed multiple times, because everyone manually configures. There’s zero need to use any existing CAs. If the concern is “Our root store is initially empty”, well then yes, it matches the status quo today: there is no root store. Rome wasn’t built in a day, and figuring out who should be in that store takes time. There’s no doubt a dozen CAs that would happily issue, if they knew what the expected profile and policies were, and would stand up dedicated roots. Of course, the CAs are only going to do that if there are users: those who will buy or rely on those certificates. So you need to convince supplicants that a zero-touch world is worth it, AND that it can be as secure as manual configuration. Supplicant vendors - whether they are open-source or operating system - are taking on the work to manage and police that root store. To ensure that the CAs included follow the profiles, policies, and practices. So you have to convince them that it’s worthwhile for their users. If this sounds like a lot of work: Yes. It is. Yet organizations like the WiFi Alliance or the Wireless Power Consortium or the USB-IF have all managed to do so, to varying degrees of success. I think you're operating from a WWW perspective. That use-case is very > different from EAP. In WWW, 99% of the TLS-enabled traffic is from the > server to the client. The client doesn't know what the information is, and > doesn't really care. Even secret information like passwords sent to a web > server are generated by / on that web server. So a client can verify (a) > the password was created for a proven server using a trusted CA, and next > time (b) prove it's the same server, so it's OK to send over the password. > > EAP is completely different. I have *my* password. It's secret, and I > made it. I want to be sure that I give it *only* to the site which is > authorized. This means that I don't really care that a root CA is > trusted. That root CA might sign certificates for 1000 companies. I want > to have my password only to one company; the correct one. I want the > client supplicant to *not* hand my password to the other ones. I have no > DNS to leverage, either. > > To put it another way, in WWW, the server has data that the client > wants. In EAP, the client has data (passwords) that the server wants. The > trust models are very different. They are not at all different. In both cases, the client has a principal it wants to validate: in RFC 6125, this is the reference name. This is the name in your credential in the case of EAP, the name of the host in the URL in WWW. The client wants to make sure it’s talking to the entity authorized for that name. You can manually preconfigured exactly that entity. In EAP, this is incredibly easy to do when you’re provisioning the client credential to also provision the peer identity. This is the existing flow. The long-term goal seems to be to want to indirect that, so that explicitly provisioning credentials is not necessary. In that model, you need a third-party, the CA, to vet and validate the identity, so your EAP server can attest it. Rather than having to rely on a preconfigured identity, you want to make sure the reference name matches the names presented in the certificate. The trust model is _identical_ to WWW, as you describe it. If the argument is that the only information that needs validation is a DNS name, and that it’s profile is similar to, or could be identical to, TLS, then you still have the burden of demonstrating the operational considerations are the same before you make the case to reuse the existing. For example, the payment terminal example I mentioned used the same policies and profiles, but the operational consideration was these devices are not field upgradable and only support certificates from a limited number of CAs. The lack of updates and the lack of agility were an insurmountable gulf of difference from the constraints of operating systems (patches) and browsers (regular updates), and so these devices need separate PKIs, which ANSI X-9 is happy to oblige: https://x9.org/asc-x9-launches-new-security-study-groups-on-public-key-infrastructure-pki-and-transport-layer-security-tls/ If this future world is a world where the provisioning of certificates is only done via ACME, and manual configuration is “unsupported” (even if technically capable, it’s in the “may break you at any time if you decide to do this” level of support), and your profiles are explicitly short-lives to help ensure this, then yes, it’s reasonable to talk about overlap. > Shipping a trusted root CA on the supplicant OS is the *only* way to do > this. This is not true. Shipping the trusted root CA list in the supplicant _software_ totally works. Conflating the supplicant with the OS is continuing to muddy the waters. Instead the supplicant is shipped with the OS. Therefore, any root CAs > needed by the supplicant MUST be included with the OS. > > It really is that simple. This may seem like splitting hairs, but it’s a _profound_ distinction if you’ve ever managed PKIs on operating systems, as this is not true. Shipping a CA list in the supplicant shipped in the OS != shipping a CA list in the OS. They are very different models of managing and configuring that should not be conflated. Android has plenty of OS components that ship their own root stores, separate from the root store it provides as part of its public API contract. We only need the former, not the latter. It sounds like this has circled back into “How do we get Apple/Microsoft/Google/whomever to have their supplicants trust a set of CAs by default”, and the steps outlined above continue to be it. For Google/Android/ChromeOS, I’m not going to want to conflate the TLS PKI and the EAP PKI if they have different operational considerations (e.g. the ease of replacement of certs and the ability to respond to CA incidents), different profile considerations (the information being attested), and different policy considerations (how that information is validated). The advocates of such a solution need to do the work in defining the profiles and policies and presenting that as the use case for why. To the OS vendor, managing these profiles and policies is a non-trivial undertaking involving a host of folks: Legal (for contracts and CP/CPS review), Engineering, Project/Program Management (it’s a lot of work to review several thousand CAs a year, let alone the 60-70 organizations in the root store), Release Management, etc. There has to be a value proposition here, because the convenient part of the much maligned manual configuration is that it outsourced all the risk the OS vendor might be taking on, and instead allows it to be the customer’s problem. That may seem unfair and non-ideal, but that’s where the risk/value calculus is right now, and to get vendors to change, you need to present a compelling value case that demonstrably minimizes risk. Trust is hard and expensive 🤷 In conclusion, we need a new PKI, and the root CAs must be included with > OS distributions. But the OS vendors won't do that until we define the > requirements, solution, and transition path. The transition path has been repeatedly defined, so that’s 1/3 of the way there 👍
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- [Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
- Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker