Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 07 January 2020 17:33 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97B061200CC; Tue, 7 Jan 2020 09:33:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BM95KFwnEiXx; Tue, 7 Jan 2020 09:33:28 -0800 (PST)
Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A8D71200B8; Tue, 7 Jan 2020 09:33:28 -0800 (PST)
Received: by mail-ed1-f44.google.com with SMTP id e10so248502edv.9; Tue, 07 Jan 2020 09:33:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bpYlKRTkXY9AY3PB0zpVcXM3kSAd8+KnoWiw27Wv2b0=; b=ZAzOjh+baFtPN5pfILknylumHezI+niCND37Nl1o5HtaL7Gf1gfOTIAANLausbmeiC NMF/eDFrxYRtiIwpx6duJ20BsInvtKSaxr2EKEkN3tKXuq9SAkeubap3ZG0k2i+8NJ+c 450fPeY0DrDiClP2U9m0PlTE0NWZ8G1aHXudT6jrLl9Ddd/zryyAlK+jNuX+bknpawx0 uPa8w/NtzQaxAySk+s6dKEBfKNFxnM7hCYG7XPc30w+AiD8EVIiBURJM0doLg/TAHBeg 56lSFr+FD93L+a2VE5KHa0tZvBxWiLd08RSMatIkVn3Kh3+M/1sjXIH2yNWKIvhuAXnx ORFQ==
X-Gm-Message-State: APjAAAUPCl5XOHvPYa3iSbxPRna7Tj86jAy0L+IGy8RWefRQhXrBC1xW K8QW4HjcPyumeUGAggw26hN8+OZc
X-Google-Smtp-Source: APXvYqwTiocfr4qjt/TMEBaPZ6aZa3BL1AUFvHNgb+Xo+Wn4eKZN0LrmEgE/pqV3tUO9sSqDvm7r+g==
X-Received: by 2002:a17:906:6d4c:: with SMTP id a12mr559114ejt.94.1578418406190; Tue, 07 Jan 2020 09:33:26 -0800 (PST)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com. [209.85.128.46]) by smtp.gmail.com with ESMTPSA id j21sm11951eds.8.2020.01.07.09.33.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Jan 2020 09:33:25 -0800 (PST)
Received: by mail-wm1-f46.google.com with SMTP id b19so386275wmj.4; Tue, 07 Jan 2020 09:33:25 -0800 (PST)
X-Received: by 2002:a1c:3c89:: with SMTP id j131mr203807wma.34.1578418405551; Tue, 07 Jan 2020 09:33:25 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com>
In-Reply-To: <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 07 Jan 2020 12:33:14 -0500
X-Gmail-Original-Message-ID: <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com>
Message-ID: <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005eb561059b902cb8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/LCl-iWLJ00j-WvwdV5T86vi6HY0>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 17:33:29 -0000
On Tue, Jan 7, 2020 at 11:44 AM Alan DeKok <aland@deployingradius.com> wrote: > On Jan 7, 2020, at 9:54 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > > At the high-level, I will say that using TLS (id-kp-serverAuth) > certificates, from the intersection of CAs that are commonly trusted by > operating systems and browsers, is bad. It will create security issues, > will create interoperability issues, and will not help users. > > It's been accepted practice in all EAP implementations for ~15 years. > Are there practical issues you're aware of? Because I can't recall seeing > any. > I'm sure "practical" will be seen as subjective, but here's some examples: Operational: - Customers of CAs having trouble when their CA has to perform timely revocation of their certificates - Migration off SHA-1 - Migration off 1024-bit RSA - CAs being shut down or exiting the business due to non-compliance with browser requirements Security: - Cross-protocol considerations due to key reuse seems like a meaningful security issue that's being dismissed. > Any security issues are limited. If a site administrator has access to > the public / private keys for a web server, it's possible to re-use those > certs for EAP. This re-use cannot be prevented. > No. But it results in prompt revocation of that certificate if anyone demonstrates it being used like that, the same as no one can prevent you from embedding a private key in software, but doing so gets it swiftly revoked. [1] [1] https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/ > I'm not sure what your point is here. I agree this usage is wrong, but > the goal is to *fix* it. The goal isn't to "bless" the existing usage. > > The goal is to figure out what *should* supplicants do. > There's no short-term or medium-term solution that can rely on 'accepting' or 'specifying' the use of id-kp-serverAuth, which was the original proposal as a "recommend". Any of those uses are inherently broken and unsafe and just time bombs waiting to go off. > EAP supplicant implementations largely do this already. So there's no > "proposal" of a new root store. There's a statement that there *is* a > different root store. > That doesn't match Owen's original message, so while I'm glad there's an acknowledgement here of differences, that doesn't seem to match the discussion to date. > i.e. implementations default to not trusting CAs for EAP. The trust has > to be explicitly enabled by an admin, or by the user. This means that > there's a store of CAs *only* for EAP. > > Everyone knows that it's wrong to use id-kp-serverAuth for EAP. The > way forward is to figure out how to fix it. > Update software? I'm glad there's agreement it's bad/wrong to use, but it seems the only path forward is going to be to breaking, not recommending for using public (TLS) CAs with id-kp-serverAuth. Attempting to specify some interoperable behaviour in the interim, before things are broken, for how folks can keep using id-kp-serverAuth, seems to be the problem. Just accepting that things need to be broken seems like it easily allows moving into the discussion about NAIRealm and manual configuration. I know that's easy to say when it's individual vendors who have to deal with the fallout and that's why I suggested there's a spectrum of responses for how that's phased out. But explicitly moving towards that goal, and not trying to live in the interim with id-kp-serverAuth, seems the best path forward.
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- [Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
- Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker