IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Alan DeKok <aland@deployingradius.com> Mon, 12 April 2021 18:51 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522F83A125C for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 11:51:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIuLjdSpyxn8 for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 11:51:03 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E44D3A1259 for <emu@ietf.org>; Mon, 12 Apr 2021 11:51:03 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 166E62E6; Mon, 12 Apr 2021 18:51:00 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <SJ0PR00MB10385E0212FE3B777BD634BC95709@SJ0PR00MB1038.namprd00.prod.outlook.com>
Date: Mon, 12 Apr 2021 14:50:59 -0400
Cc: "emu@ietf.org" <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D209B8FA-FD4F-41AC-B5AE-BD27DA6A26F3@deployingradius.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com> <CAOgPGoBm7pas9i6n-y8g1yqP+ea68=_8DueHqywDQLBcMGEJ9g@mail.gmail.com> <2DE1DAF6-FA19-4F57-AF5C-BA6A39869B0C@deployingradius.com> <2A01F606-4B26-4B7D-BEA1-3BEF89A153DB@cisco.com> <SJ0PR00MB10385E0212FE3B777BD634BC95709@SJ0PR00MB1038.namprd00.prod.outlook.com>
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/INTq0AsYcNBOC9JsWKIC5gG6BSM>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 18:51:07 -0000

On Apr 12, 2021, at 2:15 PM, Tim Cappalli <Tim.Cappalli@microsoft.com> wrote:
> 
> Pinning the server certificate is unrealistic. A properly configured supplicant with a trusted private root and subject match is adequate and allows good security hygiene with server cert rotation.

  While I agree, many customers don't.  The only way to convince them otherwise is to present a "fait accompli" that all of the vendors now forbid this behaviour.

> I believe the id-kp-eapOverLAN EKU should be a MUST.

  I think we can't use it.  It's defined for client certs.  We don't want client certs to pretend to be server certs.  Using id-kp-eapOverLAN for both will allow this.

> Public CAs should not be issuing server certificates for EAP in the first place. I feel like this debate comes up every few years. Any public CA-signed TLS web server certificate that is used for EAP can be requested to be revoked for misuse.

  Replace EAP with EAP, SMTPS, XMPP, etc.

  i.e. any protocol using TLS.

  There was a long thread about this on EMU a year ago.  Maybe it is the case that certificate authorities MUST revoke such mis-used certs.  If so, I could write a script which would scan the net, find such certs, and report them.  I suspect that it could take down 10% to 25% of TLS-enabled services.

  Is this a good idea?  Probably not.

  Is it possible?  According to multiple people, yes.

  What should we do about it?  I don't know.

  But my $0.02 is that if it is true, then we should admit that the real-world use-cases for certs don't match how certificate authorities work.  We should then likely change the definition of "id-kp-serverAuth" to mean "any TLS-enabled service", instead of "TLS WWW servers".

> If an organization cannot ensure proper configuration of a supplicant, they should not be using EAP.

  Or, they should rely on experts to ensure that systems can't be configured incorrectly.  This is where the IETF has spent two decades not addressing these use-cases.

  Given the time frame for the EAP-TLS document, I suspect it's best to just say "here be dragons", and leave it at that.  Any attempt to define new behavior may be time consuming.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email