IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Alan DeKok <aland@deployingradius.com> Sat, 18 January 2020 22:58 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531C1120168; Sat, 18 Jan 2020 14:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ks9mX1IGfSFr; Sat, 18 Jan 2020 14:58:06 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1AF120130; Sat, 18 Jan 2020 14:58:06 -0800 (PST)
Received: from [192.168.46.130] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id E5E6164E; Sat, 18 Jan 2020 22:58:03 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com>
Date: Sat, 18 Jan 2020 17:58:02 -0500
Cc: Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Joseph Salowey <joe@salowey.net>, Michael Richardson <mcr+ietf@sandelman.ca>, "Owen Friel (ofriel)" <ofriel@cisco.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/aaUfMrZa8o75cRf4wkT1ZkrwdrM>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 22:58:16 -0000

On Jan 18, 2020, at 4:11 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> 
> You’re conflating several things, as well as seemingly shifting the goal posts here. Perhaps it’s just a poor expression of the problem, as you see it, in which case, it might help to be clearer.

  I'm trying to solve the problem of bootstrapping.  I agree that various CAs have various rules.  I agree that anyone can run their own private CA, and do whatever they want.  I've been doing that, and recommending it, for ~20 years.

> Can’t get eapOverLan from a TLS CA? Ok. That’s not a bug, that’s not a misdesign, that’s how it works and is supposed to work.

  Where you say "TLS CA", you mean "WWW CA".  All these other applications use TLS, too.

  In practice, that WWW CA design translates into "CAs which are included with OS distributions".  Which means "CA trivially usable by applications".  ALL applications.  Not just the browser.

  Is it any surprise that *all* applications ended up leveraging that functionality?

  When the CA *isn't* included with the OS distribution, it means that CA *cannot* be used to bootstrap TLS-enabled applications.  Each application (not just EAP) MUST be manually configured with the CA.

  The alternative is to ask the application to naively trust a CA it doesn't know, and a CA which isn't included with the OS distribution.  I don't think that will happen.

  It's easy for a browser vendor to tell a CA "issue certs our customers can use".  It's much, much, harder for anyone else to do the same thing.

> >   That is mostly true, but unhelpful.  Windows doesn't ship with "Billy bob's tackle shop & CA" root certificates.  Neither does Linux, OSX, etc.  Your statement here is just a rephrasing of "use a private CA", and "manually configure things".
> 
> Yes, exactly, which is why I’m not sure the objection.

  It's less of an objection than a statement that we're back to the initial conclusion: use a private CA, manually configure, and ignore the root CAs shipped with the OS distribution.

  How does that help with the bootstrapping problem?

> If you don’t like those policies, or you want more purposes, do your own thing. The same modern OS distributions provide that capability for applications to do so, to allow the application vendor to select their trust store, and It Just Works.
> 
> Can’t find someone who does what you want? That’s not a problem: you can do it yourself. In discussing the second problem, there is absolutely zero reason to use anything existing. None whatsoever.

  I'm happy to use a new PKI.  But we *cannot* and *must not* rely on every application to "do it yourself".  There must be a trust anchor shipped with OS distributions, that applications can leverage.

> It’s completely unreasonable to be complaining “CA X won’t let me use certificates for this purpose” if you’re not addressing that with CA X. And it’s completely unreasonable to complain that Root stores intended for use case Y cannot be used with use case Z. Hammers make lousy screwdrivers, even if they are both “tools one uses when building furniture”

  Sure.  So how does *my* application get Microsoft, Apple, etc. to ship a new PKI?

  Answer: even Microsoft and Apple can't do it for their own applications.  They just leverage the pre-existing WWW PKI.

  If trillion dollar companies can't deploy a new PKI for their own applications, it's entirely unreasonable to ask that of a minor cog like me.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email