IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Alan DeKok <aland@deployingradius.com> Mon, 16 December 2019 00:50 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51A912008F; Sun, 15 Dec 2019 16:50:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDZPOrMQgrmB; Sun, 15 Dec 2019 16:50:57 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 568AA120059; Sun, 15 Dec 2019 16:50:57 -0800 (PST)
Received: from [192.168.46.130] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id BFBB863D; Mon, 16 Dec 2019 00:50:53 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com>
Date: Sun, 15 Dec 2019 19:50:52 -0500
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>, "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3CFF526-4682-48C7-9DCA-144B2A972280@deployingradius.com>
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/a6WXdNzVeEQxlmkKLHYbzPb-nSQ>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 00:51:00 -0000

On Dec 15, 2019, at 6:43 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> That is, most definitions for “public CAs” come down to “I don’t want to think about / analyze the security or validation practices of the CA, I want my supplicant / software / hardware vendor to do it for me, against some criteria the vendor is responsible for, and hope it all works out”. To the extent TLS uses ‘public CAs’, it either boils down to the OS or browser vendors reaching rough (independent) consensus on who is worth trusting, or the vendor going along with everyone else’s decisions for cost (too expensive for the vendor to evaluate) or compatibility (everyone else trusts them and it’d break things if the vendor doesn’t) reasons.

  It's also a way to move trust out of the individual machine, and into the network.  Given the complexity of supplicant configuration, I think that's a good thing.

> Is the supplicant market likely to reach that consensus? It seems unlikely, unless and until you define the “thing everyone can and wants and needs to validate”, and that thing is either globally unique (like DNS) or sufficiently domain specific (e.g. Passpoint) that vendors can agree.
> 
> > If at some point in the future, public CAs are willing to issue certs with some or all of the above fields, then what is the migration plan, what do we tell EAP clients to do now, and how to they migrate their verification logic?

  My goal is to answer that question.  Which involves some discussion and analysis.

> This statement similarly requires untangling. There are “public CAs” as “The set of keys/certificates used for authenticating particular services” and “public CAs” as the set of organizations that own/operate those keys.
> 
> The case of the former is extremely unlikely, as the industry is actively moving away from that approach to PKI, by trying to ensure separate keys for separate use cases or authentication realms, of which EAP would surely be. 

  Yes.

> > - client verifies server cert has id-kp-eapOverLAN set
> 
> What assurance is this to provide?

  The use-case for the certificate matches the intended use-case.

  Right now, I can use the same server certificate for HTTPS, EAP, or any other TLS-based protocol.  That seems wrong.

> - NAIRealm in cert matches user’s realm
> 
> This only works iff the NAIs are globally unique (e.g. map to DNS), which imposes requirements on NAIs that aren’t present in RFC 7542, and seemingly intentionally, compared to 4282.

  Huh?  RFC 7542 explicitly calls out NAI Realms as mapping to DNS.  See Section 2.5:

---
   In order to ensure a canonical representation, characters of the
   realm portion in an NAI MUST match the ABNF in this specification as
   well as the requirements specified in [RFC5891].  In practice, these
   requirements consist of the following item:

   *  Realms MUST be of the form that can be registered as a Fully
      Qualified Domain Name (FQDN) within the DNS.

   This list is significantly shorter and simpler than the list in
   Section 2.4 of [RFC4282].
---

  The intention of RFC 7542 is that NAI Realms are *exactly* DNS names.  This is a change from 4282, where realms were, well, we don't know.  That failure motivated 7542.

> Again, I think that’s desirable, to define an entirely new PKI with zero overlap with the server auth/TLS PKI used by OSes/browsers, but that does change your recommendations and design a bit :) The short term recommendation becomes “don’t use public CAs”, and that seems easier to explain and easier to evolve the technical requirements, until the time that such a new, EAP-specific public PKI can be introduced.

  The recommendation for EAP has generally been "don't use public CAs".  Originally it was in part because implementations didn't do certificate pinning.  i.e. once a root CA was trusted, a supplicant would accept any server certificate signed by that root, and send credentials over.

  Now, over a decade of practice has shown the private CAs for EAP allow for greater flexibility and control.  I've personally had CAs take my money for a cert, and refuse to give me anything in return.  No amount of complaining will convince them that it's a problem.  It's much simpler to just use a private CA.

> In my mind, this is no different from organizations that want TLS certificates for their servers named “webmail” (not globally unique) or “mail_01.company.example” (not preferred name form / LDH). The answer is “use private CAs, don’t use public CAs”

  I agree.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email