Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Peter Bowen <pzbowen@gmail.com> Sun, 19 January 2020 16:54 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6956E12002E; Sun, 19 Jan 2020 08:54:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFP96Y19x_Mu; Sun, 19 Jan 2020 08:54:04 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BC1C120013; Sun, 19 Jan 2020 08:54:04 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id b15so22102088lfc.4; Sun, 19 Jan 2020 08:54:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YBLlXESBsiEssbhFQzJSQKbgAqpRYKRrE3A/TxRCjmA=; b=U3Ib0mnfm3/jIbLlhrNwaSa1FEC61HlVrc6bl+MmhOqIcE/poD3QcuWxFHBvnMa51Z GwK89X/Fx6FKOxwO/JZV6y9j0cOfjrsnzxPe6JCjTdyE9M237IinEWCrHUmjqbh8q20B FJd7bMXqfTA4wKBBtR/objVhiWlzN+wjTUVwyiTPqBTTDopWRZHN15XulrY5QGA/iT4j 3i/lSOw9JrRSotB8D+JTcySOmQsbGkPbN13dvWKOUobnXWCOG0AY0DuAaQZh/oXTPghl iuaEzLYrDPBjKysnCCdFKxLtO/nXRxw0UGQA4r4kG+ikv3IJuntwf6b5ThyFGgeeV943 IO4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YBLlXESBsiEssbhFQzJSQKbgAqpRYKRrE3A/TxRCjmA=; b=Q3bJdZFLimmsx9iufoPX5R3GIYRVOhJokD2xbMJIj+q3Wn1VEUcl0JfP6FBsmRFplb QOf1Gd4fp/KMWx5pz5SRsPSyLshRO8pSbm/AJldFl29HPgQtei9OpX9k/HCeNg4ymCo0 2RQiMHcaC31KuwbAKzjDCaGql8Or2TKobkfgTqe99d403GAW0faHRt5ai/ws/AN+R2CU ZCpdMQTUr46FtPKfX62uuMBqzVTvN3flRc7UoLxFtWyNtpVr6E4SHb2cLtTdjsY2af3e ipCIwq75jtCc1D7MuHU20hLVdykLhJ/1Jt17lY5V3EsQFXTcYVgYeWr7tsYUimUvs8tr RU4g==
X-Gm-Message-State: APjAAAX5nr0lnVKHKpkwXvHnYJ4tqJNzmcfv2kBF92oL8c7M1Mo1/oZL xXCCxRlGxvf6Xp2Le7qyVjie3wWC8FjXBGfgyKY=
X-Google-Smtp-Source: APXvYqw9Xyzi4JkaECxZYTau67b/GrkDtdurprUTNiffgAJCIQHi2TLWv/BhCwEBD7RVdWFPatkv6o23SYABv4uXpwc=
X-Received: by 2002:a19:5057:: with SMTP id z23mr11114829lfj.132.1579452842350; Sun, 19 Jan 2020 08:54:02 -0800 (PST)
MIME-Version: 1.0
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com> <666A5BF7-29A2-4CD3-97CB-DAD8B96EC040@vigilsec.com>
In-Reply-To: <666A5BF7-29A2-4CD3-97CB-DAD8B96EC040@vigilsec.com>
From: Peter Bowen <pzbowen@gmail.com>
Date: Sun, 19 Jan 2020 08:53:50 -0800
Message-ID: <CAK6vND_fW+Hz5wDQxL3YJzh+Hn-f=+Sa3ELUMz=WVTAbQ80irw@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Alan DeKok <aland@deployingradius.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>, Ben Kaduk <kaduk@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/N9TyL6A1qVqH79crW7DEmU7GsBE>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jan 2020 16:54:06 -0000
On Sun, Jan 19, 2020 at 8:26 AM Russ Housley <housley@vigilsec.com> wrote: > > It seems to me that RFC 4334 offers a way for an enterprise to assert that the certificate is intended to be used with a particular SSID. This seems better than a self-signed certificate with just a domain name. > > I understand that CA/B Forum does not allow these extensions and attributes, but as already highlighted in this discussion, these certificates are not part of the Web PKI. I don't think it is that straight forward. The operating system vendors that ship supplicants heavily overlap with the ones who set the CA/Browser Forum requirements. They are also the ones who require CAs in their OS trust stores follow the CA/BF requirements. The CA/BF has made it clear over the last year or two they are willing to include other (non-WWW) types of certificates as permitted in their requirements, but look to IETF and other organizations to set the technical standards. For RFC 4334, we have a technical standard (good!). However 4334 calls out that "SSIDs may not be unique". This makes it very tricky to use a shared root setup, as it does not provide any guidance on who gets to have a certificate for the SSID "Guest". This is analogous to the issue of unqualified hostnames mentioned earlier in this discussion (who gets a TLS certificate for "mail"?) How are CAs trusted by supplicants expected to decide who gets a certificate for a given SSID? Thanks, Peter
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- [Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
- Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker