IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Ryan Sleevi <ryan-ietf@sleevi.com> Sat, 18 January 2020 07:21 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314B2120058; Fri, 17 Jan 2020 23:21:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dffxec0B5kFw; Fri, 17 Jan 2020 23:21:07 -0800 (PST)
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AC11200C5; Fri, 17 Jan 2020 23:21:06 -0800 (PST)
Received: by mail-ed1-f54.google.com with SMTP id j17so24462453edp.3; Fri, 17 Jan 2020 23:21:06 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=49iJgavE2dWVzjY76roWXr15JoGYBhn0prqRDvAIQOQ=; b=NKVdsxtlYc6Tgkf1tJaHwULSNyE35zsEuS9rxdvIVwIw2nz83KdIxNPL+mF6qIQ5pg pIujeBTz6yU8ypcWNvWHJNckAAuur3PK0ryxMD3GgdfhkWTgpLrq8goeW9g+SdM2cIQ+ yEtef4duRleNdMHIH740xFrVyzlk1LmpEosnlYkwTZLyzhjwWVBHjRjp/l3bgzW3Ohsh 2EMOkh1+0yaVSPFBK4ftojGGMjYcc2HKki4de5ywLgxPFQey0tukHL7rhVdwkmQ3xfH9 1lGAxAeX9Sez0YKcU+Tj6Y49DAm5UyqHypd0Q7fjdAab/4YeZX7M8x737+KWDdjmeSDB NAOg==
X-Gm-Message-State: APjAAAViNF8yz/95soIB2KvHlRgNU6nFpNTepKeFpnvyB52EMYRhcRgn EG6jQzXNROPnY2acKctqdNE/IABB
X-Google-Smtp-Source: APXvYqxAL4RYhUK57PziOzeIOsMrwVkNtU3rdqiR8rRwSEIdQS4UNzPLrcM+gtFfkJ7c3qaWUcvf1Q==
X-Received: by 2002:aa7:d3cb:: with SMTP id o11mr7894607edr.145.1579332064665; Fri, 17 Jan 2020 23:21:04 -0800 (PST)
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com. [209.85.128.49]) by smtp.gmail.com with ESMTPSA id pv11sm825274ejb.75.2020.01.17.23.21.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jan 2020 23:21:03 -0800 (PST)
Received: by mail-wm1-f49.google.com with SMTP id a5so9505818wmb.0; Fri, 17 Jan 2020 23:21:03 -0800 (PST)
X-Received: by 2002:a05:600c:149:: with SMTP id w9mr7964832wmm.132.1579332063136; Fri, 17 Jan 2020 23:21:03 -0800 (PST)
MIME-Version: 1.0
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sat, 18 Jan 2020 02:20:52 -0500
X-Gmail-Original-Message-ID: <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com>
Message-ID: <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
Cc: Alan DeKok <aland@deployingradius.com>, Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Joseph Salowey <joe@salowey.net>, Michael Richardson <mcr+ietf@sandelman.ca>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009b31b4059c64e613"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/bBwUEWUMvvKlfmO4k0TWwHoCOmE>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 07:21:09 -0000

Or... just stop using those certs/roots already? We’ve already identified
that there is absolutely zero reason to do so in the extant status quo,
because it still requires manual configuration. You get no benefits and
clearly downsides, so just... don’t do that? Any complaints about how that
existing PKI is managed is just a complaint that it doesn’t fit your
purposes and doesn’t do what you want, which is fine: that’s the entire
point.

If you don’t like CAs being required to do what they say, and be held
accountable to stated policies, then sure, let them issue whatever they
want and decide unilaterally what the risks are. Of course, then you’ll end
up with situations like CAs issuing certificates with duplicate serial
numbers, with one of the duplicates being a CA certificate used for active
MITM of user connections, and the issuing CA complaining that revoking
would be disruptive for those other holders with the same serial number.
Which is a real thing that happened, and indistinguishable from a policy
perspective to Alan’s example. Or you can deal with the commiserate legal
risks involved in selectively enforcing when you agree or disagree with the
CA’s risk assessment and what is “reasonable”, with the CA who issues
certificates used for MITM lamenting it’s “unfair” and “inconsistent” that
they aren’t allowed to declare there is no risk for those certificates,
while other CAs get to declare there’s no risk for EAP-TLS, despite their
policies stating they don’t allow it.

If you don’t want to deal with those problems, which are messy and complex,
then yes, manually configure your certs, and don’t manually configure ones
that expose you to all of this. Problem solved, and no need for Dickens.

I can appreciate that, if you’re not involved with managing a PKI or trust
store, it would seem undesirable to actually enforce standards and
contracts and policies as they were written, especially when inconvenient.
Yet documents like RFC 3647 exist precisely because the world is not a
technocratic utopia, trust is a hard problem, and it exists in a world
where there are messy and complex legal problems. If you want to use want
to use PKI, and you want to do more than just require explicit manual
configuration, then you have to deal with all of that and more. You can
pretend it doesn’t exist, but you can’t escape that reality. DigiNotar is
an example, but one of dozens at this point. Manual configuration lets you
localize that to things you control, and so that’s an eminently reasonable
status quo.

On Sat, Jan 18, 2020 at 12:34 AM Owen Friel (ofriel) <ofriel@cisco.com>
wrote:

> If the PKI community as a whole (vendors, standards bodies, consortia,
> CAs) has managed to engineer a situation where, according to the strict
> letter of the law, CAs would have no choice but to revoke operators
> identity certificates for many of their services if Alan was actually mean
> and wrote his script, which would cause widespread outages, then, quoting
> Charles Dickens, "the law is a ass", and I'm with Alan and Richard and the
> law (the CP/CPS) should probably change.
>
> > -----Original Message-----
> > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Alan DeKok
> > Sent: 17 January 2020 19:39
> > To: Ryan Sleevi <ryan-ietf@sleevi.com>
> > Cc: spasm@ietf.org; Michael Richardson <mcr+ietf@sandelman.ca>; Joseph
> > Salowey <joe@salowey.net>; Benjamin Kaduk <kaduk@mit.edu>; EMU WG
> > <emu@ietf.org>
> > Subject: Re: [lamps] [Emu] EAP/EMU recommendations for client cert
> validation
> > logic
> >
> >
> > On Jan 17, 2020, at 12:33 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> > >  Does your RADIUS endpoint support and use OCSP stapling and disable
> WiFi if
> > the certificate is expired? No? Then it's a potential violation of this
> CP/CPS.
> >
> >    I'm not sure how a RADIUS server will disable WiFi.  They are
> entirely separate
> > systems.
> >
> > > And in Section 16:
> > >   Customer will only use a TLS/SSL Certificate on the servers
> accessible at the
> > domain names listed in the issued Certificate
> > >
> > > Remind me how an EAP-TLS/RADIUS server is accessible at that domain
> name?
> >
> >   The RADIUS server has a domain name, which is commonly used in the
> > certificate.
> >
> >   If that is insufficient for the CAs purposes, then we should also
> acknowledge
> > that the revocation requirement likely also applies to SMTP, XMPP, DNS
> over
> > TLS, and IMAP.  i.e. *all* non-WWW protocols which use TLS.
> >
> >  We should not single-out EAP / RADIUS as mis-using the certificates in
> this
> > manner.  The mis-use of these certificates in other protocols is orders
> of
> > magnitude larger than the EAP / RADIUS problem.
> >
> > > There's two parts of discussion from the thread:
> > > 1) What do extant clients do, today, in the verification of
> certificates used in
> > EAP-TLS
> >
> >   EAP supplicants follow RFC 5216 Section 5.3.
> >
> > > 2) What should future clients do, 'tomorrow', to make this easier to
> use and
> > secure, ideally by default.
> > > Much of the answer was around #2, which is "Don't try to glom on to
> > something existing, you need to build your own thing",
> >
> >   True.
> >
> > > as well as "Some of the answers in #1 are problematic and you should
> try and
> > discourage them"
> >
> >   There were *allegations* of problems.
> >
> > > To connect it back to the discussion: The discussion about revocation,
> and
> > what a CA's CP/CPS says is or isn't allowed for a usage, matters, because
> > browsers require CAs promptly revoke those certificates in 24 hours/5
> days for
> > situations when they specify bad requirements. Can problematic CAs fix
> their
> > CP/CPS to allow this? Yes. But you've still got a host of other
> > expectations/requirements that can and will diverge, over time.
> >
> >   If I was mean, I would write scripts to troll the net for mis-use of
> certificates in
> > SMTP, XMPP, IMAP, VPNs, etc.  Then, make the script auto-submit notices
> to the
> > relevant CAs.  That process is simple to do, and by the above rules,
> would
> > require the CAs to revoke the relevant certs.
> >
> >   i.e. certs which affect a high percentage of daily internet traffic.
> >
> >   If that scenario were to play out, I suspect that CAs would very
> quickly stop
> > revoking the relevant certs.  A straight-forward approach to enforcing
> the rules
> > would be over-ruled by simple practicalities:  Turning off big chunks of
> the
> > Internet is a non-starter.
> >
> >   As Michael Richardson pointed out, then solution here is likely to fix
> the rules,
> > not the protocols.
> >
> > > In the specific context of thinking about "#2" - what a touch-free
> future looks
> > like - having it use the same root store as Web browsers is the
> anti-pattern,
> > because the requirements are different.
> >
> >   And therefore we need a different root store for *each* of EAP, RADIUS,
> > SMTP, XMPP, IMAP, DNS over TLS, VPNs, etc.  Note that we need *different*
> > stores for EAP and RADIUS, because RADIUS server are reachable on port
> 2083
> > as RADIUS over TLS, *and* they implement TLS over EAP, which in turn
> carried
> > over RADIUS.  Different use-cases, different root stores.
> >
> >   There may be significant push-back against that many root stores.
> >
> > > There's no doubt the status quo is "Everything is manually configured"
> and "It's
> > inconsistent what is validated". The goal is to get to #2, "It just
> works"
> > >
> > > - Define your requirements (the certificate profile)
> > > - Define your policies (what do you expect CAs to verify, and how do
> they
> > verify)
> > > - Provide a way to distinguish "new certificates" from "The old and
> manual
> > cruft" - for example, an explicit EKU
> > > - Pick your poison.... er, CAs... for the new root store (e.g. as WiFi
> Alliance has
> > done, or Wireless Power Consortium has done, or plenty of vendors have
> done)
> > > - Have CAs issue certificates with both EKUs (old and new) in the
> leaf. It's a
> > SEQUENCE for a reason.
> > > - Have supplicants configured that
> > >    - If new EKU is present, look in built-in store
> > >    - If old EKU is present, require manual configuration
> > >
> > > This gets you half-way to #2: things can just work if you pick one of
> the new-
> > CAs with new-EKUs, and otherwise require manual configuration for
> old-EKUs
> >
> >   That's good, but insufficient.  There is a lot more verification that
> EAP
> > supplicants need to do before automatically trusting a root CA.
> >
> >   I suspect that most CAs already know that their customers mis-use
> certs for
> > non-WWW purposes.  EAP / RADIUS is just a minor (almost insignificant)
> part of
> > this problem.  I also suspect most CAs operate based on the hope that no
> one
> > notices, and then requires them to revoke many, many, certificates.
> >
> >   Alan DeKok.
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email