IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Tim Cappalli <Tim.Cappalli@microsoft.com> Wed, 14 April 2021 14:57 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5413A1164 for <emu@ietfa.amsl.com>; Wed, 14 Apr 2021 07:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHu8lNayy1zT for <emu@ietfa.amsl.com>; Wed, 14 Apr 2021 07:57:01 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650097.outbound.protection.outlook.com [40.107.65.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D613A110B for <emu@ietf.org>; Wed, 14 Apr 2021 07:57:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BcpHaGBb0guhGS4ToCO2jefRmXkhao4MIGXuoI41d5/UHC7n3mIPILpigN8EhKxerwK39w1hswkQsIEN9nDylxir69qCy9nyy6qhCBy00vtu/uUcef7Wms2HcNlXAk985XvmYcfkzLIw7xqcSN0QW9UMxo659mGjMGUvkRqRlBdrVEE+/v+ULbr/dLLVcGTfkg8UNSi3KjJMEGbPWkKUBBtiRNUezaCh5Vw7OQuld9a+i7P28JFPchsSVm5idQwPNaztxdzQakGkt7l/p3+QCm2ZPspTPQua8QVsYQcs47AnVwm6P6dcLFYa/8S+JRhBkt1x3xPVYrpoe22FITOjBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WNCcVDDRJMSfvJOyQgSp+JMJxC9tiDleQ/W4bKh4xAA=; b=JiTF7TVw9rFfcCNzHyv9z7zPAV4Sln4kEyleF+TP6gFXe6kSji1/MerX4uRhzmEyurWQAIbgwVxwU1r9wODrTzmYeVqiHet670v5astKswY1H+ogFzMpJFvyclO0LQhYmv4pAfq72fCSlNN7RyPXx42pzSajV+r3RbkGLkIDWrKsgokqbkxmSlMOI0Wv5fM+VJETT9UQMMcbvCYar1PqqMn8THZnGfMWEEopSTkZmpvX7GVcEtXeXf5u22f3MnFwKG9ofWcNjawaQRv5zV0QijS2GUgalzIFvj4l3OMb8EeLEXEUi0AmL9WR9iecFBYhg6M8wUg1ILuDBsULikM/7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WNCcVDDRJMSfvJOyQgSp+JMJxC9tiDleQ/W4bKh4xAA=; b=DpADApi/Tf0YXkbd5slEZoadrgkn2NiFfrVekL424spzV5S3rSke4Eoyw+kTQrHSP1odrSbSdT2HC943c1xPdnfmWcgo/qslmgI32hZJbqTw3oNicUePq+6gYxxxf3zdbpZq3uPt1O1ES5NyuVhi7kDME074KiWO8iFMPBZidXY=
Received: from SJ0PR00MB1039.namprd00.prod.outlook.com (2603:10b6:a03:2aa::8) by SJ0PR00MB1239.namprd00.prod.outlook.com (2603:10b6:a03:370::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4082.0; Wed, 14 Apr 2021 14:56:48 +0000
Received: from SJ0PR00MB1039.namprd00.prod.outlook.com ([fe80::10b4:c833:9e11:e657]) by SJ0PR00MB1039.namprd00.prod.outlook.com ([fe80::10b4:c833:9e11:e657%9]) with mapi id 15.20.4084.000; Wed, 14 Apr 2021 14:56:47 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "aland@deployingradius.com" <aland@deployingradius.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Issue 47 Certificate identity checks
Thread-Index: AQHXL0rNRD32n4jkC0uxRZYFBIRVJKqw1ZGAgAJS6ACAALohgIAAOsdP
Date: Wed, 14 Apr 2021 14:56:47 +0000
Message-ID: <SJ0PR00MB1039DF0140713A18B360B185954E9@SJ0PR00MB1039.namprd00.prod.outlook.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com> <12533.1618359438@localhost>, <9B6DEC06-E681-413D-9092-712C20924846@deployingradius.com>
In-Reply-To: <9B6DEC06-E681-413D-9092-712C20924846@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-04-14T14:56:47.315Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [108.7.218.223]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 008a31b5-98d7-4605-0ce1-08d8ff558743
x-ms-traffictypediagnostic: SJ0PR00MB1239:
x-microsoft-antispam-prvs: <SJ0PR00MB123925B05F3C2078A83377FE954E9@SJ0PR00MB1239.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xhY4SrRLyinouF+kURKysvG0rGtRYuKBoyqPgrdk2wMNbTWR+El0ij36zYpbRpZjbU7gJnq0e55q/3Bxv5elqBBzd4D8E3StljUgrMPluAQR3cklsWyOLTjdhCORebCbv6IUpnmPkLJTSssW8OK+SmpnKy0VJf8U29T0L8X99kEe6ZI0hFgQnQfVJOtdEkf+iPrkrtQtTdKtvkjbExD2CZuwmjLsrFPAASX4xiM3w9v8+tzbmPoOAX4MliG5NRnYcdyca5c2LOrtBlVrRgNGK7eL7ovX9DdAjteSpz7Mr4JbEAP+O3t0cOiinMcqCWjlaoqh1RsTzycW2WMdHdvhnJGmUWsYzr0h14nEVUSlV976GLk/YOCXb6owpJR3CZP15RYNHhOgTLnhdOJicc6AHC20DPnNdAMSJ5aTyVBeHsRmqKF5v+lye17Fryoa6gSa3JNV4IqI7Fk4NvJkDmbZtiTAQTeJymD/khodBPPvJaj2idcyEVCIKcsWvY76J42G19OLHra60q1cEBIwhdnffhK6+GjA8Gu7pExaKi99gtQrJuRreeQyvg82ExEvJPvAZWT1ituEQORgNXANegfflf64Ml5N0FlHqxilgLcY0jnZwjaJZT3XcE42mUuYP10ZzPYEfFRw4YQ0DRuPGJihxlprRTxH7mb/y14M9ZOdGMqLSTBcTg00KRzUyCiT8hnj
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1039.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(19627405001)(64756008)(66446008)(66556008)(8936002)(66946007)(122000001)(966005)(66476007)(186003)(83380400001)(53546011)(6506007)(86362001)(316002)(26005)(76116006)(478600001)(38100700002)(8676002)(8990500004)(71200400001)(110136005)(10290500003)(33656002)(2906002)(166002)(82960400001)(82950400001)(5660300002)(52536014)(7696005)(4326008)(9686003)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Aq2iehgvueeIY5mVPG7SbyZuMwxeT7fQWEVC2bcPo5fHFllmbfa6r9/GUjp+jR17sd0iT9N0qWLAkFUSJc/z4yj91XInA+mWF5SJNoQeYL3VmKc3VXKyYsryOjLqDM2rIwjnbdFhmaJOZFNfRjrhSjb77L50+5f5W881rxcueA3D95V2vPdjutJQNFXtQwGYTTLrtlIDyvxyCcyXbJJmlTHYs72QP6C+kYZQSSLggu0uPJa8qyhF6ldT2sqA9OyFdjcGn6XmKStrhYSe6oNpaKuWUrnN8+1YY57zU78TAggMAOrrKy7KUCI/LIQNlVEk016kvw7imcnyURC2SfSRpIviGIZNQ9QR+TiychpTM2mdDCKWUKgNbG+1dANL2w76W0RJNxpT+NckIRf2yHzGb/Hk8PfVwD6qXTZ0E8rH/Bgq41Eu+K4b23wMRp5SPqn1BIwq+dxoPYnUsjYr+5I6H2Q13D9GO57qqnLHmOjDDS0BnVLWf0oe+dn0iJBsM4C6o9Ke2wy+IGjuNFZ2Bw+ofW88mEqu0dPGq3wAm8oZjRl4FLsxHRpPZMM2IJKED0rimhv0DGSVC4mj24S+LRj5d0L0eR45S9Jf2F8bojBnsz66DZwAUg/sZLBXS0/jptjg+gEpkEaTvFH9PhGdSH52FxmjYDd0LZVG+oLDjHexOS31W4tINhzWHlhHXzKAHT1sjUB8N5d/HtZ6PNiYrsv/wC5ASJZzc1nDkCzcxsn/l+raDw6wjhuxnaHBTxr5G38DuYUE0fn154dWwoMhU516sqV5D+MOohVFwXVWMSBi8Vqm0XjrsdA1iqeTwS+dEHPIwz/mqNc8PgLpIBe52keH9GdkHdPyNbSie2UiUv4vjyQeD2XXX69SZA0aeE0MTgk2k8D106+bnKwC5a5310QUWpZcLVLL9uP8DTsWUjiY8zZMeL/14AdtY/O5HbPw8hp94qWxFGdtECvrRo468slkn2H0mSXeXQZWuFp2qETK6dK7uzFKT5kEma2lKaOG5HOLZ2BEMviinDkhpqPf44RrPjCGyB8oJ9yZMNe55Dq94wbIx4Mhv39Pyb91xsNpZ2OcOe1wFE5QxU2gMsC/kE/D4WPaneF/2Um3M2d0Oi2sTT2KeOUo6qIRLrbxyqMgB/HDrOuXCeWHLGugahmBb9lLjkFK+nXUdRbdU5v6PdvX1w5FXlCbbjd+TWrbvQm1JnvbKQWnx9zW6DumiyZ5WiowU3aWRnOKWGeJBviED0O2g1U=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB1039DF0140713A18B360B185954E9SJ0PR00MB1039namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1039.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 008a31b5-98d7-4605-0ce1-08d8ff558743
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2021 14:56:47.8909 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GJzmupSdsqy+fgyfF+X1+5Fk2OkW6dRl8NosDVNlI7a6PrQPI1CtiwhKhUB5AczWqL3W65FfnX9eSprDdl4gVw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR00MB1239
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/QH0h9fUUomWDKq59omyHknTt-nU>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 14:57:06 -0000

Honestly, no information in an EAP server certificate is good enough for a user to make a "walk up" informed decision. If the supplicant is not properly pre-configured, all bets are off. TOFU is not acceptable.

At least requiring an EAP-specific EKU or OID would require operating systems to separate out the EAP trust store.

TLS Web Server Certificate should not be acceptable for EAP.

tim
________________________________
From: Emu <emu-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com>
Sent: Wednesday, April 14, 2021 07:23
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: EMU WG <emu@ietf.org>
Subject: Re: [Emu] Issue 47 Certificate identity checks

On Apr 13, 2021, at 8:17 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> Why did you need the HTTPS server cert?
> Did you need the OIDs, and stuff out of it?  Why wasn't the realm name enough
> to make the imposter cert from the non-authorized CA?
>
> I'm just trying to understand how the HTTPS cert is involved here.

  The HTTPS cert contains a wealth of information which makes it look "real" to the average person.  All of that information can be cloned into the imposter cert.  So the only differences between the imposter cert and real one are (a) signing CA, and (b) key data that most people don't understand.

  What any mere mortal looking at the imposter cert will see "Yup, it has the right addresses, phone numbers, names, etc.".  For all intents and purposes, it appears to be real.

  This imposter process worked better years ago when supplicants would show the entire cert to the user.  Now, many don't even do that.  Some just show a fingerprint in a pop-up dialog, and ask the user "is this OK?".

  How that's useful to anyone is beyond me.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&amp;data=04%7C01%7Ctim.cappalli%40microsoft.com%7C03fdb74ac18749ebdc6608d8ff37c2da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637539962261663872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=boROVAFgSky1v93Iu1jzrthBVbvAhNgKa5TVZ9h0zQA%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email