IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 07 January 2020 17:33 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97B061200CC; Tue, 7 Jan 2020 09:33:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BM95KFwnEiXx; Tue, 7 Jan 2020 09:33:28 -0800 (PST)
Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A8D71200B8; Tue, 7 Jan 2020 09:33:28 -0800 (PST)
Received: by mail-ed1-f44.google.com with SMTP id e10so248502edv.9; Tue, 07 Jan 2020 09:33:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bpYlKRTkXY9AY3PB0zpVcXM3kSAd8+KnoWiw27Wv2b0=; b=ZAzOjh+baFtPN5pfILknylumHezI+niCND37Nl1o5HtaL7Gf1gfOTIAANLausbmeiC NMF/eDFrxYRtiIwpx6duJ20BsInvtKSaxr2EKEkN3tKXuq9SAkeubap3ZG0k2i+8NJ+c 450fPeY0DrDiClP2U9m0PlTE0NWZ8G1aHXudT6jrLl9Ddd/zryyAlK+jNuX+bknpawx0 uPa8w/NtzQaxAySk+s6dKEBfKNFxnM7hCYG7XPc30w+AiD8EVIiBURJM0doLg/TAHBeg 56lSFr+FD93L+a2VE5KHa0tZvBxWiLd08RSMatIkVn3Kh3+M/1sjXIH2yNWKIvhuAXnx ORFQ==
X-Gm-Message-State: APjAAAUPCl5XOHvPYa3iSbxPRna7Tj86jAy0L+IGy8RWefRQhXrBC1xW K8QW4HjcPyumeUGAggw26hN8+OZc
X-Google-Smtp-Source: APXvYqwTiocfr4qjt/TMEBaPZ6aZa3BL1AUFvHNgb+Xo+Wn4eKZN0LrmEgE/pqV3tUO9sSqDvm7r+g==
X-Received: by 2002:a17:906:6d4c:: with SMTP id a12mr559114ejt.94.1578418406190; Tue, 07 Jan 2020 09:33:26 -0800 (PST)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com. [209.85.128.46]) by smtp.gmail.com with ESMTPSA id j21sm11951eds.8.2020.01.07.09.33.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Jan 2020 09:33:25 -0800 (PST)
Received: by mail-wm1-f46.google.com with SMTP id b19so386275wmj.4; Tue, 07 Jan 2020 09:33:25 -0800 (PST)
X-Received: by 2002:a1c:3c89:: with SMTP id j131mr203807wma.34.1578418405551; Tue, 07 Jan 2020 09:33:25 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com>
In-Reply-To: <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 07 Jan 2020 12:33:14 -0500
X-Gmail-Original-Message-ID: <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com>
Message-ID: <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005eb561059b902cb8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/LCl-iWLJ00j-WvwdV5T86vi6HY0>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 17:33:29 -0000

On Tue, Jan 7, 2020 at 11:44 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Jan 7, 2020, at 9:54 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> > At the high-level, I will say that using TLS (id-kp-serverAuth)
> certificates, from the intersection of CAs that are commonly trusted by
> operating systems and browsers, is bad. It will create security issues,
> will create interoperability issues, and will not help users.
>
>   It's been accepted practice in all EAP implementations for ~15 years.
> Are there practical issues you're aware of?  Because I can't recall seeing
> any.
>

I'm sure "practical" will be seen as subjective, but here's some examples:

Operational:
- Customers of CAs having trouble when their CA has to perform timely
revocation of their certificates
- Migration off SHA-1
- Migration off 1024-bit RSA
- CAs being shut down or exiting the business due to non-compliance with
browser requirements

Security:
- Cross-protocol considerations due to key reuse seems like a meaningful
security issue that's being dismissed.


>   Any security issues are limited.  If a site administrator has access to
> the public / private keys for a web server, it's possible to re-use those
> certs for EAP.  This re-use cannot be prevented.
>

No. But it results in prompt revocation of that certificate if anyone
demonstrates it being used like that, the same as no one can prevent you
from embedding a private key in software, but doing so gets it swiftly
revoked. [1]

[1] https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/


>   I'm not sure what your point is here.  I agree this usage is wrong, but
> the goal is to *fix* it.  The goal isn't to "bless" the existing usage.
>
>   The goal is to figure out what *should* supplicants do.
>

There's no short-term or medium-term solution that can rely on 'accepting'
or 'specifying' the use of id-kp-serverAuth, which was the original
proposal as a "recommend". Any of those uses are inherently broken and
unsafe and just time bombs waiting to go off.


>   EAP supplicant implementations largely do this already.  So there's no
> "proposal" of a new root store.  There's a statement that there *is* a
> different root store.
>

That doesn't match Owen's original message, so while I'm glad there's an
acknowledgement here of differences, that doesn't seem to match the
discussion to date.


>   i.e. implementations default to not trusting CAs for EAP.  The trust has
> to be explicitly enabled by an admin, or by the user.  This means that
> there's a store of CAs *only* for EAP.
>
>   Everyone knows that it's wrong to use id-kp-serverAuth for EAP.   The
> way forward is to figure out how to fix it.
>

Update software? I'm glad there's agreement it's bad/wrong to use, but it
seems the only path forward is going to be to breaking, not recommending
for using public (TLS) CAs with id-kp-serverAuth.

Attempting to specify some interoperable behaviour in the interim, before
things are broken, for how folks can keep using id-kp-serverAuth, seems to
be the problem. Just accepting that things need to be broken seems like it
easily allows moving into the discussion about NAIRealm and manual
configuration.

I know that's easy to say when it's individual vendors who have to deal
with the fallout and that's why I suggested there's a spectrum of responses
for how that's phased out. But explicitly moving towards that goal, and not
trying to live in the interim with id-kp-serverAuth, seems the best path
forward.

v2.23.0 | Report a Bug | By Email