IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 13 November 2019 23:23 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC26D120837 for <emu@ietfa.amsl.com>; Wed, 13 Nov 2019 15:23:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H--af_1z3Wka for <emu@ietfa.amsl.com>; Wed, 13 Nov 2019 15:23:57 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01663120831 for <emu@ietf.org>; Wed, 13 Nov 2019 15:23:56 -0800 (PST)
Received: from [192.168.41.2] (unknown [49.74.64.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by tuna.sandelman.ca (Postfix) with ESMTPSA id E9B4F3818F for <emu@ietf.org>; Wed, 13 Nov 2019 18:20:48 -0500 (EST)
To: emu@ietf.org
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com> <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com>
From: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <240b3611-706c-303f-82aa-3fc3d78b7aa3@sandelman.ca>
Date: Thu, 14 Nov 2019 07:23:52 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ZwR_E2CSBaEzqK2glOXhzTZmsNo>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 23:23:59 -0000


On 2019-11-13 4:07 a.m., Alan DeKok wrote:
> On Nov 12, 2019, at 11:43 AM, Russ Housley <housley@vigilsec.com> wrote:
>> Can the extended key usage for EAP over a LAN ( id-kp-eapOverLAN ) solve this for you?  It is defined in RFC 4334.  A certificate for Web PKI should not include this extended key usage.
>>
>> RFC 4334 also offers a certificate extension that lists the SSIDs that are associated with the server.
>   That does sound relevant.  I wasn't even aware of that document.
>
>   While RFC 4334 offers the id-kp-eapOverLAN OID, I'm not aware of anyone using it.  Even Microsoft supplicants still require the TLS web server auth OID (1.3.6.1.5.5.7.3.1).

I think that the issue isn't, can we find or define a OID that has the
right semantics.
I think that the issue whether or not any public CAs are willing to
include that into a certificate.

v2.23.0 | Report a Bug | By Email