IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 17 January 2020 14:53 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9049120098; Fri, 17 Jan 2020 06:53:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69_1qq-zaLd6; Fri, 17 Jan 2020 06:53:26 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2078.outbound.protection.outlook.com [40.107.22.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9ED4120074; Fri, 17 Jan 2020 06:53:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BGcr1lHzaBqsR1UK9KA/bSUiqsBK49/CDfYmjIqWPztp8f60B7iw4/nvaZWa1cbuhYjyuq20HJtLwr2z7JV0lNQP/cxOMbvAy3JUmthWdgSiRVkK57BcxFp3zBqP+qRL5uia0tbA81l5eRgZ8NIewskUpRECIc8X9FKzJk/k4BOFI6naPUxfXbSYQV0GdYWQ1j5H3SHuApiEKBGuLinF3sniujdCZnzajiSMjaAULXFdZ46jhWLvkO70HTb/vQqQuZ/gp4+URHcwuxsT1M8VC1Kq9RA79UQUkyCWaRtqx+1yEHVe7mlr610pV52xDk/poqvVEwMHJNCralfqqAGDww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=84E9C1xBDdm0ebFzJqA8qSyKzb3/7xh0NGGMISV/27A=; b=c9XwWmNGK2cMgRlvRnY4d9oPRtB+8Dj1IBzvUuSOluqEnNQ4gkTjxzCRF29PcNo2cbrlaXnrjaljwF9FPLWseZpLCjp62JS+S6SWwtkmuvz7hH79ldeL8NhRNiQX27/9ebCdTaOHGmSeS/jOhgCGS81zirl3I5sd7YDQLJToOZseul64tZ5/Y99hKbYv2niS5YqRpd4pUDDSyx+GfcF/gPD0Ttq+Xbv4q83glaOOpYqk7r/hE01sV4GaQreKP3Vwy0DsxG5rb3SjpTo9skl66PBiVusnOqjpJZRlPbEYZF4Z0yHnMHiCztcvToLMKV0xsLcKm/lvfCKwSBP8hP92eg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=84E9C1xBDdm0ebFzJqA8qSyKzb3/7xh0NGGMISV/27A=; b=rVPJ8k32QvCxaegHu5uTAV7DNunmEA/dqBXMztnTdtvGYHWhHRXWLCzXAUq+SCmBlxcrC7xcNzUgjVMk/Z/VjEYIdJBddzP+oWbQG5hOYw5Z+DU5/qNmbcF+18qh9KUPMqmK2gHKpNkC+UFTJ8oKY9m3dHfVOeR5K29kztciiNU=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2236.eurprd07.prod.outlook.com (10.168.31.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.10; Fri, 17 Jan 2020 14:53:23 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::cd13:3dbf:1517:c03c]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::cd13:3dbf:1517:c03c%10]) with mapi id 15.20.2644.015; Fri, 17 Jan 2020 14:53:23 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Joseph Salowey <joe@salowey.net>
CC: "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Thread-Index: AQHVzUXdmB8wOza2UEWNwHm3m8C1QQ==
Date: Fri, 17 Jan 2020 14:53:23 +0000
Message-ID: <7e2a5d26-0ef1-5ca1-3ea6-34cac0293f0a@ericsson.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu>
In-Reply-To: <20200116040715.GC80030@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [2001:14bb:170:2d00:80d1:e927:2542:2834]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7ab3d706-b871-476d-b7f2-08d79b5d0037
x-ms-traffictypediagnostic: HE1PR0701MB2236:
x-microsoft-antispam-prvs: <HE1PR0701MB22363F5C5451B08F252A58FDD0310@HE1PR0701MB2236.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4714;
x-forefront-prvs: 0285201563
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(366004)(136003)(376002)(346002)(189003)(199004)(86362001)(6506007)(53546011)(36756003)(76116006)(31696002)(81166006)(8676002)(4744005)(110136005)(81156014)(66946007)(66446008)(66476007)(66556008)(64756008)(5660300002)(54906003)(316002)(71200400001)(31686004)(2906002)(8936002)(6486002)(478600001)(6512007)(2616005)(186003)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2236; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ksk6vsrA8pCV4RblPwO5pQWKYV5LTz49Gkpzifxo/doz+gPPJ9LnyLqKWnRTQhy/UDXFE6ppFtSzQt4x+wx8x3Y95khXT6b3EJQn67keg95Yu8C7ZMkQw0aulI+lz8c8dqBIAA5PzkI6ZxIhMk37KVFslc8W/zE/4Dwjf9bBiUitErBe8rEcjmCp9m46I7z5/W6F9lR52VWCOaOLYixoGWf3DqJjzQoMt66oJ873XKMuhBdGurquUkcYKg2iph4N5knGVhWdOviBsVU8xf1sr1fEZ+HfBEeZFEwC4XTAB6aaT6HnZvAZq+JQUtMNFeYQpmfhZJtgxRY97Xv5VFrzVnOVmCB8b1IDVzIYHiGbw2cUSYGa5HGeMv+iIVGE5Bj8iZsvCVtbyPBGFnjUbJBQ16VNMrLMrySvVdgeGEamZ5+IiRnOE/lLhy6nS+FfvoWg
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <36E4C3CE5D15A444BAB4B62009908F37@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7ab3d706-b871-476d-b7f2-08d79b5d0037
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2020 14:53:23.3160 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: N2pECWXk9roObWj1xyAir5G8kELa6FC8cNrPVAqdV7NkfGbeXzhGRezS84Mwt1Zle0sczRrty6TD3gxikGjG/sKLatSmp2OVMe82XE2aYf8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2236
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/Dil8yl1LymZWpLXpl_7KuekK3bs>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 14:53:28 -0000

On 1/16/20 6:07 AM, Benjamin Kaduk wrote:
> Is there anything better for implementations to actually do (as distinct
> from what we write down as recommendations) than to start setting up a
> parallel (purpose-specific) PKI now and trusting that in parallel with what
> they're currently doing, with the hope of being able to have a flag day
> many years down the line when the new PKI becomes the only thing that's
> trusted?
This seems like a reasonable way forward to me.

--Mohit

v2.23.0 | Report a Bug | By Email