IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

"Owen Friel (ofriel)" <ofriel@cisco.com> Sat, 16 November 2019 13:01 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB2312013F for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 05:01:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=SZcwlqB+; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=DabpgxAX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYkP-JPXtpkL for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 05:01:34 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F25FF12006D for <emu@ietf.org>; Sat, 16 Nov 2019 05:01:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5514; q=dns/txt; s=iport; t=1573909293; x=1575118893; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=WImCaJzqi6B8d3HcLhPiHdU1a5zJA9BTZaI9ceb5SOQ=; b=SZcwlqB+zxtfuX0D7Li66npveWG4v/AxN+WBADjjY6kdkWf2Na0fKWoJ fFgGfQz2e03TuCvJzmWVHBS5TeCAWnGljPe7AdVhogrGM/WD3x5LAb4gg RjXqbxYIW+miMTfXaLMVAHQ98aEP/j807wkpRAbj01bUhTFLGldtyd4dX A=;
IronPort-PHdr: 9a23:Lq/41BzEYNNCblnXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YR2N/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZuCB1f6IfrCZC0hF8MEX1hgrDm2
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AnAACH8s9d/4ENJK1PDQkaAQEBAQEBAQEBAwEBAQERAQEBAgIBAQEBgWsEAQEBAQsBgUpQBWxYIAQLKoQpg0YDinMaNIIQlRuCZYEuFIEQA1QJAQEBDAEBGAsKAgEBhEACF4IMJDUIDgIDCwEBBAEBAQIBBQRthTcMhVEBAQEBAQEBAQEQEQ4DDAEBLAwEBwQCAQgRBAEBAQICDxcCAgIlCxUICAIEARIIGoMBNIISAw4gAQIMpCkCgTiIYHWBMoE7FIEvAQEFgTVRA4MMGIIXAwaBDigBjBQYgUA/gRFGgh4uPoF5aQEBAYEdBwkBCAoBIRWCeTKCLJAThWuYLwqCKocahSaJKpoRjkiIOJFQAgQCBAUCDgEBBYFUAjVEI3FwFTuCbFARFFeQQwcFF4NQhRSFP3QBARGBFY1tgjEBAQ
X-IronPort-AV: E=Sophos;i="5.68,312,1569283200"; d="scan'208";a="371852913"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Nov 2019 13:01:30 +0000
Received: from XCH-ALN-013.cisco.com (xch-aln-013.cisco.com [173.36.7.23]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id xAGD1UFN019514 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 16 Nov 2019 13:01:30 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-013.cisco.com (173.36.7.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 07:01:30 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 07:01:29 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 16 Nov 2019 07:01:29 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nUp9COsSgl+GUDj2HSadinsJEvcfEynfMNmYoDjNufr+yu9xKALVzFflEXFCBQw4PppZZz5u5+MX0fDvlFdTkJD4nTSUOusP+3EOXdopf2BiCS0sSnvcyGTNBb7CcbWNCniR44FgwKAApDwFZVfB/7IGMKwN3RwXV+UHsncrRFYdifyyZ9xL2V7f+EuH6a04DGE6qGXWMe85XrP44ViOYxe6a1Mzneg/ulC9ZLxcBu4bBVwRm5Gg44TeFLtSK1lvTsnz5XNE+L550GdGK+dAK1dbrkAxMkWi1+/++MIB9ST5v3iCKeGjrfTdZCY0NzHRwU5PnuO1hGJLhfI4Y5uq0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WImCaJzqi6B8d3HcLhPiHdU1a5zJA9BTZaI9ceb5SOQ=; b=e9BQySXK53apTPVNTz/ZN6x6f2QWflROqPVml38POUJI99cfYRrWA75uKhXas/FDUKXoxV74HeecbThnlKFTgjM003ui0er9DqKgK6ZhsD/zbOqP8Jud6GhTFePoTUiSSpyQrsl6Y+YLBpfoKjUiS9bfBp4IuMoDeEfPymb5jfmw5fkNAe9M9MMMHAP0JbNmCSf0Xn/nxeNMy/Sod78BlsS5yDrnYrgSWHLfk1npaWKZB0HFJvo421DIMUXgsqzKQV3M+CKQcnQ042J3ruy5PVGmuAKYKDyugEwpsHKBKM0oM+Fq0nohhXZgUT7CAPez3x8wJo1hcHLTqmFRAwo5kg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WImCaJzqi6B8d3HcLhPiHdU1a5zJA9BTZaI9ceb5SOQ=; b=DabpgxAX9uk8q6MlhsRNJtJ+yw2Gf0YZfIdn8kyw6W4+B+sbgkulkD8VM8TUVAI3LUQRJV4BrL/5hWvQd4lPwepynVdGc8gjrTo5hz/TTGjIT+TpMNnnbVXFGD6GFck3WkbaKrdmZ31Vfo+CmX6hdXmtqmei21KA2oQbaU8I3L0=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4045.namprd11.prod.outlook.com (20.179.149.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.22; Sat, 16 Nov 2019 13:01:27 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2451.029; Sat, 16 Nov 2019 13:01:27 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPeAysQlGUpTU6o3aUNy73n/aeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAOEToIAAkv4AgACT34CAADkvgIAAAZkAgAA55gCAAY6AgIAEAtkg
Date: Sat, 16 Nov 2019 13:01:27 +0000
Message-ID: <MN2PR11MB390121B2A05B425C3C97FB65DB730@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com> <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com> <AT5PR8401MB05309002D11E8AEF1018D250DB770@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM> <9907D136-C262-48BC-8630-0EABC0EB97F5@deployingradius.com> <e4a87622-4da9-5abb-2a55-84d096ef6d1a@sandelman.ca>
In-Reply-To: <e4a87622-4da9-5abb-2a55-84d096ef6d1a@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:c0c8:1007::a3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 724578fc-dfc9-48c8-e9d4-08d76a9517c0
x-ms-traffictypediagnostic: MN2PR11MB4045:
x-microsoft-antispam-prvs: <MN2PR11MB40456582FFAF40CDCBC07780DB730@MN2PR11MB4045.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 02234DBFF6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(51444003)(199004)(189003)(13464003)(52536014)(46003)(5660300002)(8936002)(55016002)(6246003)(81166006)(81156014)(71190400001)(71200400001)(14454004)(7736002)(305945005)(74316002)(4001150100001)(25786009)(6116002)(186003)(478600001)(102836004)(9686003)(14444005)(229853002)(6436002)(2501003)(256004)(66574012)(76176011)(110136005)(316002)(64756008)(476003)(66446008)(7696005)(66476007)(53546011)(6506007)(8676002)(99286004)(2906002)(86362001)(66556008)(966005)(76116006)(6306002)(486006)(11346002)(66946007)(446003)(33656002)(15398625002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4045; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Qi5KnU09RjRBww+joavNrN5e6OzXyI8BJGs+MQNBe+DYfpyMXTB2cpnT9ssxFdkfnc4FkB3Rn874KT15HMRp0YSqKJcCdHB+4aBo1VAWy9s+AzvooE74+yHIOLDDui9w277V42WBVrjV/gl3IGSeqBWJbYn95mVk2/xEP4HcVtyLY+jj2+g5auSw7zDsfuACv3tRzslIy0EpajipmkniVBudthdgkl9Ojfcs94UihNSd+XzCoIS/XgewwCOY67Qi3t7A9Bs0d2jfTOxNPqTIZvkTScF8Gbd5y0NeGQlgB/qWC9xFsp19CuFAisGsofYBpHh4qZVbvg8GQx/rs9wGJrYU2OxhEwmtjkJYH2oIdIBGFZGklVy/dbeBkNqeE5DesO9j/69FXceJ3Lj4vBLqHqXNfateEp7yVq66HJnYOv9PV64iqCqhiRG4U5FmshpT
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 724578fc-dfc9-48c8-e9d4-08d76a9517c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2019 13:01:27.7004 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: i2uUM58O6zfMn5pj4JHJhgbwdxFtnIv1GcaMDEjIgOJj4nBil/IrF/HERedTKWCBSdVvnjmpvaxa5TlScP9kqg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4045
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.23, xch-aln-013.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/QWeKJ3JjifsRsDMKKrjqP06z3Vk>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 13:01:36 -0000

The CA/Browser forum has concrete guidelines on address, email, domain verification outlined here.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.6.pdf

All public CAs should follow these, or face blacklisting. CAs don’t want to risk being the next Symantec.

" 3.2.2.1. Identity
 If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following:
1. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition;
2. A third party database that is periodically updated and considered a Reliable Data Source;
3. A site visit by the CA or a third party who is acting as an agent for the CA; or
4. An Attestation Letter.
The CA MAY use the same documentation or communication described in 1 through 4 above to verify both the Applicant’s identity and address.
Alternatively, the CA MAY verify the address of the Applicant (but not the identity of the Applicant) using a utility bill, bank statement, credit card statement, government-issued tax document, or other form of identification that the CA determines to be reliable. "

" 3.2.2.3. Verification of Country
If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject using one of the following: (a) the IP Address range assignment by country for either (i) the web site’s IP address, as indicated by the DNS record for the web site or (ii) the Applicant’s IP address; (b) the ccTLD of the requested Domain Name; (c) information provided by the Domain Name Registrar; or (d) a method identified in Section 3.2.2.1. The CA SHOULD implement a process to screen proxy servers in order to prevent reliance upon IP addresses assigned in countries other than where the Applicant is actually located. "

There is also a bunch of stuff in there about emails including:

" 3.2.2.4.4 Constructed Email to Domain Contact
Confirm the Applicant's control over the FQDN by (i) sending an email to one or more addresses created by using 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' as the local part, followed by the at-sign ("@"), followed by an Authorization Domain Name, (ii) including a Random Value in the email, and (iii) receiving a confirming response utilizing the Random Value. "

-----Original Message-----
From: Emu <emu-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: 13 November 2019 23:27
To: emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS



On 2019-11-13 7:40 a.m., Alan DeKok wrote:
> On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) <timc@hpe.com> wrote:
>> How does a public CA prove ownership of an SSID?
>   Do public CAs *always* verify addresses and/or telephone numbers, which are normally included in certificates?

They are?  I've rarely seen it.
I think that if it's in the certificate, then they have verified them.
I can remember in the bad old days providing CAs with notorized articles of incorporation, etc.
I haven't done that this decade though, and I haven't seen that kind of info.
CAs won't include anything they can't verify.

>   Do public CAs verify that email addresses in the certificate work?

yes, they do by sending a challenge to it.
>   Do public CAs verify that the OIDs in the certificate match the intended use-cases?

Most won't include OIDs.
>   Is there a global registry of SSIDs which the public CA could use to verify the SSID?

No, SSIDs are a local matter.
One could (and I do), use FQDNs as the SSID.

That's the only way I can see this working.

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email