Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 08 January 2020 11:26 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DCEA120227; Wed, 8 Jan 2020 03:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnNjxEmAIiio; Wed, 8 Jan 2020 03:26:53 -0800 (PST)
Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9C6512082C; Wed, 8 Jan 2020 03:26:52 -0800 (PST)
Received: by mail-ed1-f53.google.com with SMTP id bx28so2227533edb.11; Wed, 08 Jan 2020 03:26:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Fi95Jz2HShhbyNujaD57MW30TqLQehxo6Whqco1EZBs=; b=GLJgiUxl0VWNvHKTVVNS7wlDQIqlnvzuM6WoVfExE1u2A4wKlLVGiL3t/MVjJztP7C 4MOKDxeRz0ABcMPjnZJCcOksiYxAJ5UNWb6h0KKcUNDmFSdwW5uD5fF8LY9GITrdlmBx DudM+PtNb7C+PxkciF2pAnnWtRAlpDGzFI0U4FqzbBhBbaPMYOXKwkwBGebmqHpqD+nY PXeujDBDYx/QgTHiaZAULDAV2jFDtiL6jDWvTCMS4vANS2u7PictcbBEvA1C/jrKn/EI RFxpDstBc1c4n++Xzxg0hCyuTKWspOKj5bqNGrXByolpwPTiso8HUeV5pvBm2dJN6GtB C+uQ==
X-Gm-Message-State: APjAAAU4MzPhWyrg4pRlqyRUShC4NkzYRkx7l+MTS2V8kZI3AdVFUVNp DbYmDoMfggfa9wY3f6yJtXxo9OUv
X-Google-Smtp-Source: APXvYqwtYmsdOMpTnhOkISvXoCBSy+Q9yAJbhFCehsjWQIee+0yMcyjjjy9YKIu7s/UpJrRMo1LVQA==
X-Received: by 2002:a50:eacb:: with SMTP id u11mr4872122edp.181.1578482811198; Wed, 08 Jan 2020 03:26:51 -0800 (PST)
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com. [209.85.221.52]) by smtp.gmail.com with ESMTPSA id qw15sm51530ejb.92.2020.01.08.03.26.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Jan 2020 03:26:51 -0800 (PST)
Received: by mail-wr1-f52.google.com with SMTP id c9so2949969wrw.8; Wed, 08 Jan 2020 03:26:50 -0800 (PST)
X-Received: by 2002:a5d:530e:: with SMTP id e14mr3877908wrv.250.1578482810366; Wed, 08 Jan 2020 03:26:50 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com> <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com> <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <5F6DD581-21D6-4304-824E-4846CA3BC335@cisco.com>
In-Reply-To: <5F6DD581-21D6-4304-824E-4846CA3BC335@cisco.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 08 Jan 2020 06:26:39 -0500
X-Gmail-Original-Message-ID: <CAErg=HHcXU6MrzBZAY8y7tDhxY=K6q2tJJ3xXGfV_JxjRy29Kg@mail.gmail.com>
Message-ID: <CAErg=HHcXU6MrzBZAY8y7tDhxY=K6q2tJJ3xXGfV_JxjRy29Kg@mail.gmail.com>
To: "Eliot Lear (elear)" <elear@cisco.com>
Cc: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000323148059b9f2ba5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/VERmhklayFf-IesvObXcefZayiE>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 11:27:00 -0000
On Wed, Jan 8, 2020 at 5:00 AM Eliot Lear (elear) <elear@cisco.com> wrote: > Hi Ryan, > > This topic seems like a good one to just get on the phone and sort > through, but I have one question: > > On 8 Jan 2020, at 09:11, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > > However, if using the same set or CAs that popular OSes use for TLS, it > does mean that these CAs, and their customers, will still be subject to the > same agility requirements, and limited to the same profile as TLS. Because > of this, there’s ample reason to split further into the dedicated hierarchy > and dedicated EKU. > > > Is there an example of a non-EAP use where splitting into a new hierarchy > has actually succeeded? > Document signing generally fits there, in that there are a number of CAs that only offer document signing/identity proofing without overlapping. As would, say, Cisco’s device/firmware signing model or the PKIs in use in the financial services/ATM markets. Relevant to EAP would be the aforementioned Passpoint model, which uses new and distinct CAs for that. There are definitely flaws with that (e.g. wanting said CAs to work with browsers), but there are parts of it that do work. There’s no technical reason to require the use of the same roots/same hierarchy, and ample and adequate reason to distinguish: both from the perspective of a root store maintainer (ensuring certificates comply with policies) and as a certificate consumer (minimizing risk of misissuance, ala Flame) >
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- [Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
- Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker