Re: [Emu] Version Notification for draft-dekok-emu-eap-usability-00.txt
Deb Cooley <debcooley1@gmail.com> Tue, 15 February 2022 18:08 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 812AC3A1032
for <emu@ietfa.amsl.com>; Tue, 15 Feb 2022 10:08:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id uEaITYse9s_m for <emu@ietfa.amsl.com>;
Tue, 15 Feb 2022 10:08:50 -0800 (PST)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com
[IPv6:2607:f8b0:4864:20::22a])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id BFB983A0F64
for <emu@ietf.org>; Tue, 15 Feb 2022 10:08:45 -0800 (PST)
Received: by mail-oi1-x22a.google.com with SMTP id r19so2599615oic.5
for <emu@ietf.org>; Tue, 15 Feb 2022 10:08:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=IUctbC5xUmZbqTL+tdYoDaTYTa0sj5DUtdhBDqaYSaM=;
b=LZNUXABiAhcNZx+JVYTwnVsYaoBFVV2IeKwwqSBklJlQlybyAtMET7uDqkGqS1j/pg
MkHomZOR+/poRYcBZEBVp+3PlJlOS+BgY5cIW/20KkSNK2jX+VPE19X2z9t8PIBmBWEw
D0vw7yWuU0x3/29M2MEoc76G8KHLEaFyevW49kfA5Fbo0oUa709JgD/HJ9QYd7Hte3fZ
hE/EU2aN51fzy8r/t3Pd0J9HuHZjF+tac67awJg+5nlE7Ln49ClbY+ALAB0Tw89YoIij
iAaxLlWidCugZzmRcmlApomFmfGb2YVgh5P57fM4zYNE5EkkDx+eQ9qRYKjyAsUE/0fO
oYlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=IUctbC5xUmZbqTL+tdYoDaTYTa0sj5DUtdhBDqaYSaM=;
b=FJwSLx+qR5KF5oxCovu0mGM1kfGhSBQUd75hNCmqsozTPJaKVXzFbU4yoTuA1Tm6bY
N8wrEq2rKywCM+BpLgzvosV6dljtVns7WVGIsMiYdyRUxgEM9HqNoUvohm8ZaHOK0iMM
iKPWLakY+Zl5s8UXvIRfhRItAlXcSl1x7VYG3rGmFt+xOUhJ+wp8hNZa64M0NitneDwp
UiDJWcUgrRdA+i0WH74SW8FOqt5+U0EKhrYUJYByKFqiHlJrHe0ErGpi0mDIfHBPqrwJ
WY2HGj0O4RAbNM78bgFA6XnVfA9bMNJBB+Fys6kyd5qUPPaAXzWf6Qrb2872+CDOdd31
3Yzw==
X-Gm-Message-State: AOAM531jlt1eqvkl8oXTIaAyg/1o5RA7Yzgz3y4gNiNBkJjBb1WGjbvC
FwTZZoJydzZNZ5hllZYNJKjosbvaRBiCr9mBFuyoMLc=
X-Google-Smtp-Source: ABdhPJzz11+5kASR5Px2GdKvHqSuelS9y5efuYmOL4C9kJ8xJMu1490FffkAtgFuwPy9IsVoviDhXaA93fK+xRLpd8E=
X-Received: by 2002:a05:6808:168d:b0:2d3:65f0:582f with SMTP id
bb13-20020a056808168d00b002d365f0582fmr2213520oib.152.1644948523842; Tue, 15
Feb 2022 10:08:43 -0800 (PST)
MIME-Version: 1.0
References: <162611255836.29278.13767587856449885761@ietfa.amsl.com>
<D71E4C2D-53AC-4453-AF26-39D8684CEAF0@deployingradius.com>
<887c07d9-c62f-0fa4-e422-4e9bcfc39756@angry-red-pla.net>
<3FDB94D5-CD72-446F-839C-C0130E9FD5E0@deployingradius.com>
<ff264fc0-b374-c564-da05-63483cdfa9a7@angry-red-pla.net>
<974B27AF-1570-44EC-8232-3CFADA6DD6C8@deployingradius.com>
<HE1PR0701MB3050816DC3B7AF70E0AFE8F589309@HE1PR0701MB3050.eurprd07.prod.outlook.com>
<4C04495A-713D-410D-B03B-CDE04D483108@deployingradius.com>
In-Reply-To: <4C04495A-713D-410D-B03B-CDE04D483108@deployingradius.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Tue, 15 Feb 2022 13:08:33 -0500
Message-ID: <CAGgd1OdXk_HtUKH9pw4X+PS6x404AGhjywbmnc2g0OS4yq9-hg@mail.gmail.com>
To: "emu@ietf.org" <emu@ietf.org>, Alan DeKok <aland@deployingradius.com>
Cc: "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="0000000000006ffe8105d8126c77"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/HM5w3MynEGywzxwiZkw_0nps0ss>
Subject: Re: [Emu] Version Notification for
draft-dekok-emu-eap-usability-00.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>,
<mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>,
<mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2022 18:09:02 -0000
Is there a plan to continue work on this draft (I think it has expired)? I skimmed through it a while ago, had thoughts/comments, but have resisted the urge to provide them (why work on something that is OBE?). It is longish, but it is not a difficult read. Deb Cooley decoole@nsa.gov On Fri, Feb 11, 2022 at 9:04 AM Alan DeKok <aland@deployingradius.com> wrote: > On Feb 11, 2022, at 6:04 AM, John Mattsson <john.mattsson@ericsson.com> > wrote: > > I think it would be very good if IETF/EMU could agree on simpler, more > automatic, and secure deployment and configuration of TLS-based EAP > methods. This is severely needed. Both complexity and security are very > real problems. > > > > > https://threatpost.com/misconfiguration-university-wifi-login-credentials/175157/ > > That attack was in fact first publicly presented by my team in 2016, at > NetworkShop 44. We also published an article on it in August of 2021 on > our web site: > > https://networkradius.com/articles/2021/08/04/wifi-spoofing.html > > Then magically in September 29 2021, Wizcase says "WizCase’s security > team, ... has discovered a major security issue affecting the users of WiFi > provider eduroam". And "We contacted eduroam on December 2020 " > > No, they didn't discover anything. This issue was well known for years > before they did their "research". > > > RFC 8446, RFC 5216, and draft-ietf-emu-eap-tls13 does not give much > guidance on this and the security requirement for cerficates are soft. > > The IETF has historically avoided doing configuration in this space. > > > Any work should likely align with > https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/ > > On quick inspection, that document could have some relevance. > > > I have not read draft-dekok-emu-eap-usability-00 yet. > > Despite it's length, it makes a very simple proposal. One which > draft-ietf-uta-rfc6125bis touches on in Section 4.2: > > Consider an IMAP-accessible email server at the host mail.example.net > servicing email addresses of the form user@example.net and > discoverable via DNS SRV lookups on the application service name of > example.net. A certificate for this service might include SRV-IDs of > _imap.example.net and _imaps.example.net > > At it's heart, draft-dekok-emu-eap-usability-00 makes a similar proposal > for EAP. A client can do DNS SRV lookups for _eap.example.net, and can > determine location, etc. for EAP services. > > Where my document extends this idea is that it also allows clients to > discover which certificates are being used for a service. > draft-ietf-uta-rfc6125bis does not seem to touch on this topic, and gives > only examples of public (not private) CAs. In contrast, many EAP > deployments use private CAs for security and ease of management. As such, > it is important to have an easy way to discover these certificates. > > If we're doing DNS SRV lookups for services, we might was well do DNS > SRV lookups for information associated with those certificates. > > For example, there's no reason for a company to use a public CA for > private services such as IMAP. It would add security for IMAP servers to > use private CAs and client certs issued by those private CAs. The only > reason this isn't done is that configuring mail clients is difficult. > > I'll also add a personal note that I wish SRV records would become more > ubiquitous. I fail to understand why in 2021 I have to manually configure > IMAP for a new mail client, when the client could simply ask for a SRV > recorrd of "_imaps.example.net", and get told "IMAP servers are at this > DNS name, using this certificate". > > > Inter-operability issues between implementations seems to be an issue, > how easy will it be to reach consensus between different implementations? > > Inter-operability for my draft? The happy news is that there are no > implementations other than my toy one. > > Even better, my draft proposes nothing more than well-known DNS lookups, > and well-known URIs. We know that DNS and HTTPS work very well. Any > client EAP configuration is done solely by code on the client, which means > that it doesn't have to inter-operate with anything. > > Stefan Winter proposed a standard EAP configuration format in the IETF > many years ago. It never got traction, so he went to the WiFi alliance. > Their latest spec now mandates an XML configuration format. > > Alan DeKok. > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- [Emu] Version Notification for draft-dekok-emu-ea… Alan DeKok
- Re: [Emu] Version Notification for draft-dekok-em… Carolin Baumgartner
- Re: [Emu] Version Notification for draft-dekok-em… Alan DeKok
- Re: [Emu] Version Notification for draft-dekok-em… Carolin Baumgartner
- Re: [Emu] Version Notification for draft-dekok-em… Alan DeKok
- Re: [Emu] Version Notification for draft-dekok-em… John Mattsson
- Re: [Emu] Version Notification for draft-dekok-em… Alan DeKok
- Re: [Emu] Version Notification for draft-dekok-em… Deb Cooley
- Re: [Emu] Version Notification for draft-dekok-em… Alan DeKok