IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 08 January 2020 11:26 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DCEA120227; Wed, 8 Jan 2020 03:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnNjxEmAIiio; Wed, 8 Jan 2020 03:26:53 -0800 (PST)
Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9C6512082C; Wed, 8 Jan 2020 03:26:52 -0800 (PST)
Received: by mail-ed1-f53.google.com with SMTP id bx28so2227533edb.11; Wed, 08 Jan 2020 03:26:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Fi95Jz2HShhbyNujaD57MW30TqLQehxo6Whqco1EZBs=; b=GLJgiUxl0VWNvHKTVVNS7wlDQIqlnvzuM6WoVfExE1u2A4wKlLVGiL3t/MVjJztP7C 4MOKDxeRz0ABcMPjnZJCcOksiYxAJ5UNWb6h0KKcUNDmFSdwW5uD5fF8LY9GITrdlmBx DudM+PtNb7C+PxkciF2pAnnWtRAlpDGzFI0U4FqzbBhBbaPMYOXKwkwBGebmqHpqD+nY PXeujDBDYx/QgTHiaZAULDAV2jFDtiL6jDWvTCMS4vANS2u7PictcbBEvA1C/jrKn/EI RFxpDstBc1c4n++Xzxg0hCyuTKWspOKj5bqNGrXByolpwPTiso8HUeV5pvBm2dJN6GtB C+uQ==
X-Gm-Message-State: APjAAAU4MzPhWyrg4pRlqyRUShC4NkzYRkx7l+MTS2V8kZI3AdVFUVNp DbYmDoMfggfa9wY3f6yJtXxo9OUv
X-Google-Smtp-Source: APXvYqwtYmsdOMpTnhOkISvXoCBSy+Q9yAJbhFCehsjWQIee+0yMcyjjjy9YKIu7s/UpJrRMo1LVQA==
X-Received: by 2002:a50:eacb:: with SMTP id u11mr4872122edp.181.1578482811198; Wed, 08 Jan 2020 03:26:51 -0800 (PST)
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com. [209.85.221.52]) by smtp.gmail.com with ESMTPSA id qw15sm51530ejb.92.2020.01.08.03.26.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jan 2020 03:26:51 -0800 (PST)
Received: by mail-wr1-f52.google.com with SMTP id c9so2949969wrw.8; Wed, 08 Jan 2020 03:26:50 -0800 (PST)
X-Received: by 2002:a5d:530e:: with SMTP id e14mr3877908wrv.250.1578482810366; Wed, 08 Jan 2020 03:26:50 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com> <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com> <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <5F6DD581-21D6-4304-824E-4846CA3BC335@cisco.com>
In-Reply-To: <5F6DD581-21D6-4304-824E-4846CA3BC335@cisco.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 08 Jan 2020 06:26:39 -0500
X-Gmail-Original-Message-ID: <CAErg=HHcXU6MrzBZAY8y7tDhxY=K6q2tJJ3xXGfV_JxjRy29Kg@mail.gmail.com>
Message-ID: <CAErg=HHcXU6MrzBZAY8y7tDhxY=K6q2tJJ3xXGfV_JxjRy29Kg@mail.gmail.com>
To: "Eliot Lear (elear)" <elear@cisco.com>
Cc: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000323148059b9f2ba5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/VERmhklayFf-IesvObXcefZayiE>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 11:27:00 -0000

On Wed, Jan 8, 2020 at 5:00 AM Eliot Lear (elear) <elear@cisco.com> wrote:

> Hi Ryan,
>
> This topic seems like a good one to just get on the phone and sort
> through, but I have one question:
>
> On 8 Jan 2020, at 09:11, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
>
> However, if using the same set or CAs that popular OSes use for TLS, it
> does mean that these CAs, and their customers, will still be subject to the
> same agility requirements, and limited to the same profile as TLS. Because
> of this, there’s ample reason to split further into the dedicated hierarchy
> and dedicated EKU.
>
>
> Is there an example of a non-EAP use where splitting into a new hierarchy
> has actually succeeded?
>

Document signing generally fits there, in that there are a number of CAs
that only offer document signing/identity proofing without overlapping. As
would, say, Cisco’s device/firmware signing model or the PKIs in use in the
financial services/ATM markets.

Relevant to EAP would be the aforementioned Passpoint model, which uses new
and distinct CAs for that. There are definitely flaws with that (e.g.
wanting said CAs to work with browsers), but there are parts of it that do
work.

There’s no technical reason to require the use of the same roots/same
hierarchy, and ample and adequate reason to distinguish: both from the
perspective of a root store maintainer (ensuring certificates comply with
policies) and as a certificate consumer (minimizing risk of misissuance,
ala Flame)

>

v2.23.0 | Report a Bug | By Email