IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

"Owen Friel (ofriel)" <ofriel@cisco.com> Sat, 16 November 2019 12:59 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4238D120127 for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 04:59:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Gqb7Ykxf; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=B8oAqTAF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pyh7JNCqhz1x for <emu@ietfa.amsl.com>; Sat, 16 Nov 2019 04:59:40 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71AE312006D for <emu@ietf.org>; Sat, 16 Nov 2019 04:59:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1750; q=dns/txt; s=iport; t=1573909180; x=1575118780; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=qOTMl9R3dkh/9Vj27QAyNqKrM4ypKDRZNvAOyJWNGWs=; b=Gqb7YkxfdEfE0/3bLOOnYvedz1zTxaBSq0UnAN2abcYpZa+Oc2nxSgV8 WetCEjpTWnPcUf9GbRQPKF5Ka0BKUFn26/glVG1E8/v6Pj+hCtBC9J45s UVpUPUP353OvvOqaFKmDg4XTLLJatkltWkdFUMrPPH1L3XgGcd0O198J4 k=;
IronPort-PHdr: 9a23:B4ebrh8pCFztT/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcmLE0z2KNbhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B7AAAU8s9d/4sNJK1cCRsBAQEBAQEBBQEBAREBAQMDAQEBgWwEAQEBCwGBSlAFgUQgBAsqhCmDRgOKcU6CEJgAgS6BJANUCQEBAQwBAS0CAQGEQAIXggwkNgcOAgMLAQEEAQEBAgEFBG2FNwyFUQEBAQEDEhERDAEBOAsEAgEIDgMEAQEBAgImAgICMBUICAIEARIIGoVHAy4BAqQzAoE4iGB1gTKCfgEBBYUVGIIXCYEOKAGMFBiBQD+BEUaCHi4+hBsUGBWCeTKCLJATnhoKgiqMQIkqmhGOSJoIAgQCBAUCDgEBBYFZAjCBWHAVgydQERSRGoNzilN0gSiNYCuCEwEB
X-IronPort-AV: E=Sophos;i="5.68,312,1569283200"; d="scan'208";a="381518673"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Nov 2019 12:59:39 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id xAGCxdTe031607 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 16 Nov 2019 12:59:39 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 06:59:38 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 16 Nov 2019 06:59:38 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 16 Nov 2019 06:59:38 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Mz0fl1//SLoTNMGnthWh3K6c+slKz20JjYq76NMxud7bbRNDVvUpn3rksn7lU2NfhI8fWoVvJjzcuL9zlfZe0NBEpkiw4+TI924rbWDwuE0NRaiWtKMqFr7yNmRfTlHP8oDith8uJ8hpR4EZgLtN+BIkdnhWHk9HbsXiYvRe9HYdci4JFzS5J7aaC9Y2u3bRFIs9dM3XtQM1C3348rrF/Ynnm9BPtp9fFbG84daoa9D5FJit9rsTQY7v7UCjp3NlmJOsu4NR7zebxtcyohn/k+XaOY4HTgKfKVyJa11SJjp3iQAcS7V0U9GHBPDRqow1l6ZOzGl4RSIgQAAKwJpcPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qOTMl9R3dkh/9Vj27QAyNqKrM4ypKDRZNvAOyJWNGWs=; b=m4BCJ3oJhitI5eVBXJ2jSsLT6eWukOYnVYqfyIfbCWqq4wYknjL7TSg8Fq0zJbBQ0GGyQgTh5/aYqaVAtbBcS7aFTCZKvuvLByqrSiN6t2o/EBOnvhZ/6682pFQUCm72grPxdY+Ltvda/hmj021ce0KNBGQY5HQ3MhZJOIFjPYK4WKAXbW/NincBiq6KqH+hs+7xAT4VmEO9wubD3pHd3TNFBAeLeizwQXP3wrXCe5Sxteq58SD+Vb+EGN+/PknNtYOswVkqJ7ptxeBuVj42j++MArnclVTqDrpHBpWUev8hUmX8yQDI1HV+zocK63X57K2PYe8PJPG9nbgAyONC5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qOTMl9R3dkh/9Vj27QAyNqKrM4ypKDRZNvAOyJWNGWs=; b=B8oAqTAF3bvxTqIOUD5bMqBxkHtn/gp/x1ffrLUmSHEDx2vJ6RT8SinUvt14LmdTnSabnqnwmGvZLuVEDFfUxvbWpaBDLUSlXUj0ptGqkWYdeuyvRR4KVWhh2UH/12RDl7F4iMATXn63jST9by41OshmZm/bBIZr2blaTcRyhck=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB4045.namprd11.prod.outlook.com (20.179.149.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.22; Sat, 16 Nov 2019 12:59:37 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::7127:bf0:d3be:3153%7]) with mapi id 15.20.2451.029; Sat, 16 Nov 2019 12:59:37 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr@sandelman.ca>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPeAysQlGUpTU6o3aUNy73n/aeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAOEToIAAqv2AgAZ+ImA=
Date: Sat, 16 Nov 2019 12:59:37 +0000
Message-ID: <MN2PR11MB39018DA3DB90095F4F24B34CDB730@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <03a039fc-4f88-13ca-8492-29e6738d550d@sandelman.ca>
In-Reply-To: <03a039fc-4f88-13ca-8492-29e6738d550d@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:c0c8:1007::a3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9720c45a-a225-4013-fdd0-08d76a94d5ed
x-ms-traffictypediagnostic: MN2PR11MB4045:
x-microsoft-antispam-prvs: <MN2PR11MB40450DEFDB7B1130B5963E4EDB730@MN2PR11MB4045.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02234DBFF6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(199004)(189003)(13464003)(52536014)(46003)(5660300002)(8936002)(55016002)(6246003)(81166006)(81156014)(71190400001)(71200400001)(14454004)(7736002)(305945005)(74316002)(4001150100001)(25786009)(6116002)(186003)(478600001)(102836004)(9686003)(14444005)(229853002)(6436002)(2501003)(256004)(76176011)(110136005)(316002)(64756008)(476003)(66446008)(7696005)(66476007)(53546011)(6506007)(8676002)(99286004)(2906002)(86362001)(66556008)(76116006)(486006)(11346002)(66946007)(446003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4045; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kRcDay6jIqhHFfOtAjPoSbW7dEJrXwUj7nPUr3RN/nfc1OC3zo/ZP77qlIg465mqQcphfbtbPU0Nupnyz1VU+7IeFJSO+W4wxlXgIS7SuA9tNb0VH38dZ1HYVUeTEgtJThYmZBcDWcMPrWK4W0lgbSlvIYXWcdxVbI+yqUM6GmjDXEaeGjGMr+PGwxkBd+J+kcUcIFjCj9icr0u7eymvN4KO4zju2l9kkvSJ/c5IDhr3TjLGHpC0B1KhukgEH0bp2WhdXY8WJn9QoZEs/ICnWwIUXxg8Pn5TstuSO4vg7hyd1JhXQYTCBSkVOug6V5E7W3PEHXJC9emxpkxZdOzCWsCwj0EV+ogAjpxZD7ZXmw8PhkYnniSGIOTb2yRQ7hz5t3MxSoBafFBTg3wTeHbTF01GRG0KWCTSysZK42ydxVB0rLFOsipk4kZNifcgI+9x
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9720c45a-a225-4013-fdd0-08d76a94d5ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2019 12:59:37.2313 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9deQs4HvqnH837jab3+BgZJAQqOh/nhNnJ36/DHLXhJ8pL1Iu4CuDSofRthHrDajw/sWeLXjdftuvEYhWgHCNw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4045
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/_yWHIEY6_3slMq-hjY9pl-lv5pg>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 12:59:42 -0000


-----Original Message-----
From: Emu <emu-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: 12 November 2019 09:20
To: emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS



On 2019-11-12 7:15 a.m., Owen Friel (ofriel) wrote:
> This is also related to ongoing anima discussions about RFC 8366, and how it can bootstrap trust when the pinned domain cert is a public PKI CA, and not a private CA, and hence additional domain (or realm or FQDN) info is also needed in order for the peer to verify the identity of the server.

While I'm familiar with this conversation, which I'm right now inspired to call the the "Maria" problem ("How do solve a problem like Maria.  How do you a cloud certificate and pin it down?")

I don't really understand what it has to do with the problem of an EAP client, **which is not doing initial onboarding**, to validate a certificate that it has received as part of EAP-TLS*.

[ofriel] whether its first time bootstrap or subsequent EAP authentication, the EAP server is going to present the same identity cert to the client, and that could be signed by a public CA, and in both scenarios (bootstrap and reauthenticate) the client needs to know what identity to look for in the server cert.

v2.23.0 | Report a Bug | By Email