Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 18 January 2020 14:22 UTC

To: Ryan Sleevi <ryan-ietf@sleevi.com>, Alan DeKok <aland@deployingradius.com>
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>, EMU WG <emu@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "spasm@ietf.org" <spasm@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, Joseph Salowey <joe@salowey.net>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <3f964440-37d4-a08e-3d86-10ea712e99ca@cs.tcd.ie>
Date: Sat, 18 Jan 2020 14:21:53 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com>
Content-Type: multipart/mixed; boundary="------------00DDBA1DA5F75C1F8DE259A3"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/UjaWxzqeuBw2PRh6fGNOQr--0Lk>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Precedence: list

Hiya,

On 18/01/2020 13:55, Ryan Sleevi wrote:
> No. The root store operators make the rules. Standards that align with
> their needs are the standards they use and apply.
> 
> Nothing you say or do has any impact without implementor, and if you go
> against the grain of where implementors are going or already at, they are
> useless standards that will be ignored.
> 
> It would similarly be a mistake to think “Ah, but I control an SMTP server,
> I am thus an implementor and empowered”. You are indeed an implementor...
> for your root store. And if existing contracts and requirements prevent a
> CA from serving your needs from the same hierarchy they are serving other
> root store needs, which they increasingly will, then again, there’s no real
> power unless you define your own root store.

I have to say that comes across as fairly arrogant. I guess
that's by the by, but it makes me happy that I don't need
to play in the CAB forum space:-) [I'm sure it wasn't meant
to be arrogant, and it has been a long thread which can
lead to irritability, but that's how it struck me.]

I've no real axe to grind here (definitely not wrt EAP),
but, as a private key holder I do use web PKI CAs for
email servers as well as for web servers. Turning that
off would disimprove security for the Internet without
(IMO) any real justification as to it producing a real
improvement in the web PKI. (I do control the domains.)
I don't buy that mentions of diginotar or equivalent
misissuance problems are really relevant myself.

That, and I've always considered CP/CPS as legal window
dressing, initially for the benefit of CAs but judging
from the above, now apparently mostly for the benefit of
web PKI root store maintainers (aka browsers).

So yeah, count me amongst those who'd suggest fixing the
policy to match what's better for the Internet is the
right approach, even if it's not an approach that might
get traction in CAB forum.

S.

Attachment: 0x5AB2FAF17B172BEA.asc

Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
[Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Attachment: 0x5AB2FAF17B172BEA.asc