IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

"Owen Friel (ofriel)" <ofriel@cisco.com> Sat, 16 November 2019 13:00 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20F1212018B for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 05:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=eN23+UO2; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=PaU2KH/D
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMIVubjhZ1R0 for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 05:00:04 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8143E12013F for <emu@ietf.org>; Sat, 16 Nov 2019 05:00:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2000; q=dns/txt; s=iport; t=1573909204; x=1575118804; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=yPD/UrdyBJaA+QC3t2kWa5kJw7gJ8fGpwDiPKhvvGjk=; b=eN23+UO2dv1wVOrIHxclVbTjvB1bpfcdElcxtHW1+7dhDDvaas6M2Hsn CGcLEcxt/Ote2k5EvqCrdhfPlXkFJy05ofNyeofn2HYNnhHCfPEZMhcHr DuqW7AHpevY+dVrey/qqOqaRgixQ9V58jDTofJWHnPNB+iddznipd0hPf 0=;
IronPort-PHdr: 9a23:E5BgrxORWGnnfSsfgYYl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEuKQ/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBj8IuTrYigSF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DbAQCH8s9d/5pdJa1cCRsBAQEBAQEBBQEBAREBAQMDAQEBgX6BS1AFbFggBAsqh28DinOCXpgAglIDVAkBAQEMAQEfDgIBAYRAAoIjJDgTAgMLAQEEAQEBAgEFBG2FNwyFUQEBAQECARIoBgEBNwEEBwQCAQgRBAEBHxAyHQgCBAENBQgagwGCRgMOIAECpDUCgTiIYIIngn4BAQWFFRiCFwmBNowVGIFAP4FXgh4uPoQbFBiDQIIsri0KgiqHGo5QgzGWYI5ImggCBAIEBQIOAQEFgWkigVhwFYMnCUcRFJEag3MzhGGFP3SBKJAeAQE
X-IronPort-AV: E=Sophos;i="5.68,312,1569283200"; d="scan'208";a="364715467"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Nov 2019 13:00:01 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id xAGD01Zh007244 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 16 Nov 2019 13:00:01 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 07:00:00 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 06:59:59 -0600
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 16 Nov 2019 06:59:59 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mNiusLVIWR0zNLbzk3GYJQ++GLKv4STQ9LddbD77gbciZhjZruBePOiEjvYkhZDqXHisj9mX7NYSp4oh7io0GG9fOV+HNaVJHNEIBluxTAJLdDzaWHX4Bgoq1A1nfU6lW4X52ejbjN88coJDadf3zywXwzpWYWR4pM6hz7vKM6QuF1H9deOfhiaN2V0Sk/Q9nPDIlsB9d6BAD1656qll2aalMDgwG7tSjKLNMjXqstfHynytriLWZ2eFzthTrq+Rp/79SRZDrU5zHHrOUyuS/vEh1xjWjcpaG869kvUHA6yVOrcmA49aLvT8GoQ4KX2nuj0Tgps+zTsAAuDf6Cp8FA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gQtknX+N/cRrANAkerY/QVfgPnRzkwGieN0itypLPHw=; b=I4Q1gJs6oFnmJhYeMnDU8YgWNfzMKWJV2nSisvPHKF9RbivWcTx+mlE85F0aJj5ax7/h8DRFDFQiimYzn9OwG4bYrzBolcu1aqRomLwem0Q/tH5s1CZRVKucZMluPUMouCSMjRkV1lNzE3HepK2If6kZQ4K02k60XkflbZ59kk8ug9AxWwR9FIQTizfpkwYwujNaJWcPhIk5FG6KHdEjApn/G0bq2h64xEEaUY2KFWeaLcG7IKbtb6T6yBiZZZgHTzz0uh0voWBuepaO0RzYBUY4enl0PAcrD+4IP/qdoQ5ZSQ4P8K2zluWH5PuKSKliFj9u3KlcPrhtJP4DX/0e1g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gQtknX+N/cRrANAkerY/QVfgPnRzkwGieN0itypLPHw=; b=PaU2KH/D39gjPhN20R5Dk+5c23ltkqXs02PzPkpn6g7J11gsidBJvt8BnsILYUJ7leSJbnpbrowhm2MZq27QPSEvcDy6Ckyc+JNT89ZBe51EUbLvc2ZCwvlkRSTutb8YKbyuk7kenn0BfSBZ7bc/uCVwaDWGOmYDtzhqWNSdoEQ=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4045.namprd11.prod.outlook.com (20.179.149.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.22; Sat, 16 Nov 2019 12:59:58 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2451.029; Sat, 16 Nov 2019 12:59:58 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, Jan-Frederik Rieckers <rieckers@uni-bremen.de>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPeAysQlGUpTU6o3aUNy73n/aeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAOEToIAAkv4AgACQzoCABgY2YA==
Date: Sat, 16 Nov 2019 12:59:58 +0000
Message-ID: <MN2PR11MB39013A3A444461A78C42DE19DB730@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <58473B30-802F-469A-8967-CE90316974E7@deployingradius.com>
In-Reply-To: <58473B30-802F-469A-8967-CE90316974E7@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:c0c8:1007::a3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a90af088-7dcb-4179-7196-08d76a94e284
x-ms-traffictypediagnostic: MN2PR11MB4045:
x-microsoft-antispam-prvs: <MN2PR11MB4045E4B1E6F6493272600171DB730@MN2PR11MB4045.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02234DBFF6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(199004)(189003)(13464003)(52536014)(46003)(5660300002)(8936002)(55016002)(6246003)(81166006)(81156014)(71190400001)(71200400001)(14454004)(7736002)(305945005)(74316002)(25786009)(6116002)(186003)(478600001)(102836004)(9686003)(229853002)(6436002)(4326008)(256004)(66574012)(76176011)(110136005)(316002)(64756008)(476003)(66446008)(7696005)(66476007)(53546011)(6506007)(8676002)(99286004)(2906002)(86362001)(66556008)(76116006)(486006)(11346002)(66946007)(446003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4045; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iGV3Zf740100gzZbERSJlCvSpb3W4USGPDIn5EqhtQHLveaYkqsmr7o7SKbq0KR+LvzHIpz+w22bBscI5mGAMmz8/gEuDbglkmvmnJL3qRIsunirGRbgp3lRf7pUocIE4kMBV1/4gyKZwhfLYwh3ZdqoZEgOwVTaSS6chaQxKGuLT1WtAeZNrFlnhzpNZZzcefvSwWfgIhY6FGuaQHJzCmM6YGXKwUYo//xzW7P2X/wsdTtvblNgVD+fWuJweNrzBMBPUNSfmJxzYZCLF6+AbCkVymzT1Og+SXYd6DQWapTsR3r/a/pUjKrbpIbxkjcS416uqOT1Ia9AdUJnLDXm+dQJHTj6nLn539PPY5dX4s28qLqYx9UMVQ0pfu6N2Xrt0PghDipS3tGFp+JDG9FPZsn13UivngFVKdwZjzNsQ355DWIxr5AaG9OhjvKfih3L
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a90af088-7dcb-4179-7196-08d76a94e284
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2019 12:59:58.3029 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wCb3iRA0xoin1I1QNzU4h7Dnum2SlGOGe7JJLwJTy7RsIH6/49MD1gNn/QPTbvGvFbcsGWQXKp52pQzgybQOxQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4045
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/WKk2RxH8CdS725bjMzb2e3MXqDM>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 13:00:12 -0000


-----Original Message-----
From: Emu <emu-bounces@ietf.org> On Behalf Of Alan DeKok
Sent: 12 November 2019 16:32
To: Jan-Frederik Rieckers <rieckers@uni-bremen.de>
Cc: emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

<snip>

> 
> The Problem with dNSNames is that they are also used in other contexts 
> (mainly HTTPS).

  They're also domain names, not realms.  A particular certificate may be valid for authenticating uses to the realm "example.org".  That same certificate may not be valid for the main web site for "example.org".

  This means that domain names are a hint, but not authoritative.  Only the NAIRealm field would be authoritative.  i.e. "this certificate really is for users authenticating to a realm".

> There would be the possibility to define a specific prefix to bind it 
> to a Realm without having the certificate being valid for the HTTPS 
> host (e.g. eap-tls.uni-bremen.de for the realm
> uni-bremen.de) but I don't see the advantage in that.
> This will probably don't really lead to a change in the supplicants 
> implementations.

  A common short-hand is for certificates to use the "radius" subdomain.  e.g. "radius.example.org".  While not perfect, it's something.

[ofriel] this seems like something reasonable, but that's more a general deployment recommendation: ensure that the identity/realm of EAP servers is different from the identity/domain of webservers within an org. Therefore in the absence of an NAIRealm or id-kp-eapOverLAN extension in a cert,  clients can still distinguish between the two. Users point their Browser clients point to 'example.org' and wi-fi supplications are configured to look for 'radius.exampe.org'.

The supplicant logic for verifying EAP server identity (assuming it already knows the root CA and a realm/domain string) could be check for NAIRealm first, then check for id-kp-eapOverLAN, then check for a dnsName.

v2.23.0 | Report a Bug | By Email