IETF Logo Mail Archive

Re: [Emu] Best practices for supplicants and authenticators

"Cappalli, Tim (Aruba)" <timc@hpe.com> Mon, 18 November 2019 15:47 UTC

Return-Path: <prvs=022527b33b=timc@hpe.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B93712098F for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:47:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elJwtDWTqUJO for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:47:16 -0800 (PST)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26A70120987 for <emu@ietf.org>; Mon, 18 Nov 2019 07:47:16 -0800 (PST)
Received: from pps.filterd (m0134424.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAIFk1Fq000607; Mon, 18 Nov 2019 15:47:10 GMT
Received: from g4t3426.houston.hpe.com (g4t3426.houston.hpe.com [15.241.140.75]) by mx0b-002e3701.pphosted.com with ESMTP id 2wbsj92bws-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Nov 2019 15:47:10 +0000
Received: from G1W8106.americas.hpqcorp.net (g1w8106.austin.hp.com [16.193.72.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g4t3426.houston.hpe.com (Postfix) with ESMTPS id D72F269; Mon, 18 Nov 2019 15:47:09 +0000 (UTC)
Received: from G4W9333.americas.hpqcorp.net (16.208.32.119) by G1W8106.americas.hpqcorp.net (16.193.72.61) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 15:47:06 +0000
Received: from G4W10205.americas.hpqcorp.net (2002:10cf:520f::10cf:520f) by G4W9333.americas.hpqcorp.net (2002:10d0:2077::10d0:2077) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 15:47:06 +0000
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (15.241.52.12) by G4W10205.americas.hpqcorp.net (16.207.82.15) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 18 Nov 2019 15:47:06 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BlBgiHOfArk8Gcx4wGDkPqV1/Ug89N2N0z1gNuP9BCiXoIM4eZQZS/hkCR7gXgyczd0VUL00PX2qxNXcAddw4UCTRTFf6sRZG3pyhUeU3fzk6TACUG4f+/kYAdQkynfuL0DiRlw4l1lfo0PNmq42YfXs3H/vzMNCBEEWBXB17iEirzXs+IjP5s25tLUEEwvYRgV/m7ecleVt5JLwRdfaRf0PUzrCuZSvrj7Xqtn3hqwbbvCvE229iS1ang+cC32qFLrajLukOFkiSXcoZR7eprQ7jO9SD2c/uAPVSadHPBRQOjZma/8ZU4uYvdQrcVwyu3B4lVxuoecKmaTm6wdfnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QES/9H1VfDqJPIBAfAELI5luveL4uI2WrqQ6LVtJuOE=; b=Zf/yqZy8zx/yPyAEMCXTuOkP/6JhJYiosxySH0tDnJ64nUEmbvkSbG1Y1rFOkQSaDX1zBnNVnpqdHUuBPkT/1KS0l4NHtTdRseEfY46uE6lytMlglfvBjzIfmJdBvciPp5TMTPk9PC0D3Cv5I7tSQCh1zWoQ7ddUp2qCCpF03VrcbJleu5sOqjPjBO08gT1RIzmO3a1063qB87swmhZFtp0A+ZDxe/MKrZcPEnUTKCpWrjRL+ctAyLyCszqDZ4LH8owI1cw1fHjDcIRkT2UGtOwh1+UrL/ONOiZxLZkIz+gMFh4XQ3T7m63PIj9wsDN6MAtvNBEwbZK0G7JIqaIM3g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB0834.NAMPRD84.PROD.OUTLOOK.COM (10.169.6.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.28; Mon, 18 Nov 2019 15:47:05 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110%11]) with mapi id 15.20.2451.029; Mon, 18 Nov 2019 15:47:05 +0000
From: "Cappalli, Tim (Aruba)" <timc@hpe.com>
To: Alan DeKok <aland@deployingradius.com>
CC: EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Best practices for supplicants and authenticators
Thread-Index: AQHVnhsKV+GRtV0vSkCNpQk4qcIR6KeRC18/gAADwICAAABZa4AAAiqAgAAALDA=
Date: Mon, 18 Nov 2019 15:47:05 +0000
Message-ID: <AT5PR8401MB053007BCE574F9DD75DBF5CDDB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
References: <526166D8-80B9-4356-84D9-52ACD49E004B@deployingradius.com> <AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM> <D3569D77-A2AB-4FEE-BF2A-1AAAFCB9D3D6@deployingradius.com> <AT5PR8401MB05309AD8F339DF5B6BD2E993DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>, <4D4ACE1D-B565-4AB2-87B8-FD8362A0E76F@deployingradius.com>
In-Reply-To: <4D4ACE1D-B565-4AB2-87B8-FD8362A0E76F@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:470:88f7:1621:610c:c87:2f84:f471]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0458a54c-4ba4-4d4d-0a11-08d76c3e8ff9
x-ms-traffictypediagnostic: AT5PR8401MB0834:
x-microsoft-antispam-prvs: <AT5PR8401MB0834A6333423232C53B9EA4DDB4D0@AT5PR8401MB0834.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(39860400002)(376002)(366004)(346002)(199004)(189003)(102836004)(316002)(486006)(5660300002)(229853002)(186003)(76116006)(8936002)(6436002)(52536014)(71200400001)(2906002)(33656002)(476003)(55016002)(6306002)(71190400001)(6116002)(54896002)(25786009)(9686003)(74316002)(6246003)(7696005)(7736002)(53546011)(91956017)(256004)(6916009)(14444005)(6506007)(4326008)(99286004)(478600001)(66476007)(46003)(86362001)(81156014)(81166006)(8676002)(11346002)(446003)(14454004)(66556008)(64756008)(66446008)(76176011)(66946007); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB0834; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mn1uVNj77kdCuLYHrn0jNqiFHH2Mp3mlo1rqRHLnc2AU3zAgGr60/MuwL+2d6bGt8zbgAwf6hypCbE0qLDopy0DzNqAgCIygTbcGwDhFpcxKVrFiJZf8XUlUjVMFcUuZZs2cAzS+KohxShb7rcpuRrQYCkAAjCTsLAlQPvhhm43P/aeJQTnGNsTuX0S7KqwvB9cK4u4BBpJmZW/xbGZc8bzYXMlT9HIm/HM9IDYJautma557+3DsW3WRWqkMKbrNnyqqaq4bvuNM+K6VK77CeEFwtLj9QNopHWJ1v9J24pXn5aozAZUQyQEcC/TMiNeTY24Bowe+3qaHte1ob9NhiXkoZfAMQxMcTiud0T+SR3187XtDk5dC9KMox6uG+swKs1lCzoQz/lCR3y1hc4SMSSnOxyq6QG29gFP0S+hDEyHHANASqzQi4ZLyT4fOkMLE
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AT5PR8401MB053007BCE574F9DD75DBF5CDDB4D0AT5PR8401MB0530_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0458a54c-4ba4-4d4d-0a11-08d76c3e8ff9
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 15:47:05.5059 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: anKLjVdZWj4nLXcreswYX8Gr5LpLNsAAW+G7KbcDg9TG1hsgwX/VnEHoD3e9I4UL
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB0834
X-OriginatorOrg: hpe.com
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-18_04:2019-11-15,2019-11-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 lowpriorityscore=0 spamscore=0 adultscore=0 impostorscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 priorityscore=1501 mlxscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911180144
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/_m8H-UmxZPNbgcMiOlHDXZ_T7Mo>
Subject: Re: [Emu] Best practices for supplicants and authenticators
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 15:47:18 -0000

Alan – Adding yet another OID and/or EKU to a certificate does not change the fact that no authority can attest to that information. A public CA cannot validate a ownership of an NAIRealm. So while a supplicant could be configured to validate that the server’s NAIRealm matches the local configuration, that doesn’t change the requirement to manually configure the supplicant. So what are we actually trying to improve here?

From: Alan DeKok <aland@deployingradius.com>
Date: Monday, November 18, 2019 at 10:43 AM
To: Cappalli, Tim (Aruba) <timc@hpe.com>
Cc: EMU WG <emu@ietf.org>
Subject: Re: [Emu] Best practices for supplicants and authenticators
On Nov 18, 2019, at 10:37 AM, Cappalli, Tim (Aruba) <timc@hpe.com> wrote:
>
> If the goal is not to improve identity assurance of an EAP server then what is this best practice change actually for?

  I have been *explicit* in my statements that my goal *is* to improve validation of the EAP server identity.  I have no idea how anyone could interpret those statements as meaning the opposite of their clear intent.

  So I have no idea what you're getting at.  Please explain yourself using something *other* than a leading question which gets everything wrong.

  i.e. state a position and defend it.  Attacking a straw man version of someone else's position is unhelpful.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email