IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

"Owen Friel (ofriel)" <ofriel@cisco.com> Sat, 18 January 2020 05:34 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4563C12007A; Fri, 17 Jan 2020 21:34:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=EdjGeIjI; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=OR6jnlb5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWs22m64hQEo; Fri, 17 Jan 2020 21:34:48 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16EC8120058; Fri, 17 Jan 2020 21:34:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6417; q=dns/txt; s=iport; t=1579325688; x=1580535288; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=LYL4YvstfqzvExiFO9cgY89Gl+btX43/rz4pyNGk/LU=; b=EdjGeIjIVHxn+9WwR54Q6qsDaj8TYYFH2wkX3w8CAOreew8HYFTEdGen 7CEAvQH1mpthbcEO2EYLfQKZ1UPk7LkP1wiOtkAvS7UJlgcmEm8t5Heze Ld8vuzi/7u9Wc3WSKf8U7FfRXO4NEqzN1yw8cV2/CJvG3eLPU0gJkHJYh o=;
IronPort-PHdr: 9a23:7UgETB+8Tf9iE/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcmLE0z2KNbhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CwAAAClyJe/4YNJK1cCRoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBe4FUKScFbFggBAsqh1cDinqCX5gOglIDVAkBAQEMAQEYCwoCAQGEQAKCCiQ4EwIDDQEBBAEBAQIBBQRthTcMhV4BAQEBAgEBARAoBgEBJQcLAQQHBAIBCBEEAQEBGQICARAnCx0IAgQBDQUIDAcHgwWCSgMOIAECDKBxAoE5iGGCJ4J/AQEFhQMYggwDBoE2jBQagUE/gRFHgkw+gmQBAYE5DgYYXAKCYoIsjVI7iEaCIZVmdgqCOZZLmnKCDYQRiD6bBQIEAgQFAg4BAQWBaSKBWHAVO4JsUBgNWIcpgScBCYJChRSFP3SBKT+JPAImAgWBNV8BAQ
X-IronPort-AV: E=Sophos;i="5.70,333,1574121600"; d="scan'208";a="408065524"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Jan 2020 05:34:46 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 00I5Yk19004581 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 18 Jan 2020 05:34:46 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 17 Jan 2020 23:34:46 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 17 Jan 2020 23:34:45 -0600
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 18 Jan 2020 00:34:45 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ONtiCw3OwVKR8f2wny6gcl4bQZVvJ73Ejc07NK3rXsw2z/0+FYi+d0LAQcSd5QUWl5NIH2MObCwUOX0QUoChFRgUAf5EpkXV5R8Wi53Z+w0bSgwcYELZJAUsnWaAysOcDDY5ahx6e0A8KmY3ao+W1Bj8tKmg76Oe3kz/b42KspjASo+tn8XaMEIKCz9KnAh9VI0SqpYOEoszIQBJhb8glXzMw2kkrb+0G9bGCbCys9dW3dZzv46cmBz+ECXcNBH8nirSTWpQpwahoWaJbbOkvhY7xcDngiJqJ9h4F26yE4Tx/izXJAk5cMEeuYZngNwMk6gkT4xT8nPNrKgAHW+/pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YBk5pfrNKdeS5K4XqGvE1+Nd3fmWWZy4fVa1ijw+jRw=; b=Yw7FPeNnWSg9uoT5IEcNY1nH2KwGjLKrqtJxidf5dVBFfOhGcBPlGUk9J0Y94VJPIhRTiRpMXV2tHsf9PnnLf1ru1ENOmAmaiAWTmdD5a9MzYohmMDNrfcgwj0ej2d1ERxujbiZmTecHqo34gCNTDY8JroQEFElCD2CBBDdDEXy0oXhVnyAnUUIxLfgbmls0DEF+5nVpELn/yJ8jbEz9RYBs6ww7Hmhl2M4faIxkg5lTWag9cBp3vpqnxI4N3NwxjXahZ1EMEIXza5jXFoqF595qoowQcmQ05xw3YIsDL+Wn46k0sZkbdCen1ZvMA8QP0/fhk0H0/adq4TylI+dhyw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YBk5pfrNKdeS5K4XqGvE1+Nd3fmWWZy4fVa1ijw+jRw=; b=OR6jnlb5g6CoTTAigmxXR+koKjwW5/v9GqF/5iyCNHGwhKKNOXrOn1Lbu011otLwSaz9OobmX99JiDQi4ufYgReWmO8BeagE97MRMi7bv3YR5H3MlkB2jSwA50ZN69YTiKo+2yn4XXxY3cr1TbH6qboC4SSOqFXHiaNXDC2c7yA=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (20.179.150.76) by MN2PR11MB3902.namprd11.prod.outlook.com (10.255.180.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19; Sat, 18 Jan 2020 05:34:44 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::d1b8:3e63:ead8:10c9%7]) with mapi id 15.20.2644.023; Sat, 18 Jan 2020 05:34:43 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Joseph Salowey <joe@salowey.net>, Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>
Thread-Topic: [lamps] [Emu] EAP/EMU recommendations for client cert validation logic
Thread-Index: AQHVzVxYUeAcsaweXEq7AjaKWLDt+qfvQOOAgACiFiA=
Date: Sat, 18 Jan 2020 05:34:43 +0000
Message-ID: <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com>
In-Reply-To: <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:c0cc:1002::ec]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf749187-371d-477c-a2dd-08d79bd81f74
x-ms-traffictypediagnostic: MN2PR11MB3902:
x-microsoft-antispam-prvs: <MN2PR11MB3902FEDAEB45D4CA8C749362DB300@MN2PR11MB3902.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2089;
x-forefront-prvs: 0286D7B531
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(396003)(376002)(136003)(366004)(199004)(189003)(81156014)(71200400001)(81166006)(478600001)(966005)(186003)(7696005)(4326008)(8676002)(53546011)(6506007)(52536014)(316002)(86362001)(5660300002)(76116006)(66574012)(33656002)(66556008)(64756008)(8936002)(110136005)(54906003)(55016002)(9686003)(66946007)(2906002)(66476007)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3902; H:MN2PR11MB3901.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SAEl8Ci6ecDk7CMHrbQKDlS9bQ/dSR4beumg9JwzuKCFpr6nufvuaIoQR5Ui+gAw7x5hDWMCUuwksPptlpkTY048vCUg2/qGY2ldaRXUZT7Is0pGUTXH2Aiv1jkh99rwpNYPrAeVxcxJZOf0zm4ZpwW2m4P5nqCMqG3tBzxdkdxqBXbOsMIwd/XjFl8xxl7wRBjQoZyxW4L0qoHfu1+JaVP6n1XVNrnB8Lox3IIrQOb7jtVkZdi7lvF7qI4VWTU/i48AJygRy2GNowM0KDXPmG0p9UFopTM1H7utHsxVggPMtwERY5dVqogZHeQJWv0pt/Z0LqXSH4iqsuXTz0YCLUuIH50ynZ28cLvzdCMNvawKX1bbK/FkH5HbFW0YmBhCzy2ZKZYJ7D+hcwz9hMn9MI0hIOTXcuijzekBMeLF9epiLcBz7jNzNRaoaVuWSYERW1bJ7HnRvt9m9dZFGYCyG70VoVCAwPsfR8bK+77yqlW+qazcckvKjIEl/DIUDr0B5UFUVv5yS89b/sulIEIz6g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cf749187-371d-477c-a2dd-08d79bd81f74
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2020 05:34:43.3406 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ICmIgygPNVPr/AC73Z5UPbeOXMzo5IcBibopIeFPcxp9eRSErWHEsXDMCM0kk0N3OJ+inoEkKHFmA3dlGYvLyg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3902
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/c1UlUUhvFDr4ZA4X5UnT0sIxPIo>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 05:34:51 -0000

If the PKI community as a whole (vendors, standards bodies, consortia, CAs) has managed to engineer a situation where, according to the strict letter of the law, CAs would have no choice but to revoke operators identity certificates for many of their services if Alan was actually mean and wrote his script, which would cause widespread outages, then, quoting Charles Dickens, "the law is a ass", and I'm with Alan and Richard and the law (the CP/CPS) should probably change.

> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Alan DeKok
> Sent: 17 January 2020 19:39
> To: Ryan Sleevi <ryan-ietf@sleevi.com>
> Cc: spasm@ietf.org; Michael Richardson <mcr+ietf@sandelman.ca>; Joseph
> Salowey <joe@salowey.net>; Benjamin Kaduk <kaduk@mit.edu>; EMU WG
> <emu@ietf.org>
> Subject: Re: [lamps] [Emu] EAP/EMU recommendations for client cert validation
> logic
> 
> 
> On Jan 17, 2020, at 12:33 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> >  Does your RADIUS endpoint support and use OCSP stapling and disable WiFi if
> the certificate is expired? No? Then it's a potential violation of this CP/CPS.
> 
>    I'm not sure how a RADIUS server will disable WiFi.  They are entirely separate
> systems.
> 
> > And in Section 16:
> >   Customer will only use a TLS/SSL Certificate on the servers accessible at the
> domain names listed in the issued Certificate
> >
> > Remind me how an EAP-TLS/RADIUS server is accessible at that domain name?
> 
>   The RADIUS server has a domain name, which is commonly used in the
> certificate.
> 
>   If that is insufficient for the CAs purposes, then we should also acknowledge
> that the revocation requirement likely also applies to SMTP, XMPP, DNS over
> TLS, and IMAP.  i.e. *all* non-WWW protocols which use TLS.
> 
>  We should not single-out EAP / RADIUS as mis-using the certificates in this
> manner.  The mis-use of these certificates in other protocols is orders of
> magnitude larger than the EAP / RADIUS problem.
> 
> > There's two parts of discussion from the thread:
> > 1) What do extant clients do, today, in the verification of certificates used in
> EAP-TLS
> 
>   EAP supplicants follow RFC 5216 Section 5.3.
> 
> > 2) What should future clients do, 'tomorrow', to make this easier to use and
> secure, ideally by default.
> > Much of the answer was around #2, which is "Don't try to glom on to
> something existing, you need to build your own thing",
> 
>   True.
> 
> > as well as "Some of the answers in #1 are problematic and you should try and
> discourage them"
> 
>   There were *allegations* of problems.
> 
> > To connect it back to the discussion: The discussion about revocation, and
> what a CA's CP/CPS says is or isn't allowed for a usage, matters, because
> browsers require CAs promptly revoke those certificates in 24 hours/5 days for
> situations when they specify bad requirements. Can problematic CAs fix their
> CP/CPS to allow this? Yes. But you've still got a host of other
> expectations/requirements that can and will diverge, over time.
> 
>   If I was mean, I would write scripts to troll the net for mis-use of certificates in
> SMTP, XMPP, IMAP, VPNs, etc.  Then, make the script auto-submit notices to the
> relevant CAs.  That process is simple to do, and by the above rules, would
> require the CAs to revoke the relevant certs.
> 
>   i.e. certs which affect a high percentage of daily internet traffic.
> 
>   If that scenario were to play out, I suspect that CAs would very quickly stop
> revoking the relevant certs.  A straight-forward approach to enforcing the rules
> would be over-ruled by simple practicalities:  Turning off big chunks of the
> Internet is a non-starter.
> 
>   As Michael Richardson pointed out, then solution here is likely to fix the rules,
> not the protocols.
> 
> > In the specific context of thinking about "#2" - what a touch-free future looks
> like - having it use the same root store as Web browsers is the anti-pattern,
> because the requirements are different.
> 
>   And therefore we need a different root store for *each* of EAP, RADIUS,
> SMTP, XMPP, IMAP, DNS over TLS, VPNs, etc.  Note that we need *different*
> stores for EAP and RADIUS, because RADIUS server are reachable on port 2083
> as RADIUS over TLS, *and* they implement TLS over EAP, which in turn carried
> over RADIUS.  Different use-cases, different root stores.
> 
>   There may be significant push-back against that many root stores.
> 
> > There's no doubt the status quo is "Everything is manually configured" and "It's
> inconsistent what is validated". The goal is to get to #2, "It just works"
> >
> > - Define your requirements (the certificate profile)
> > - Define your policies (what do you expect CAs to verify, and how do they
> verify)
> > - Provide a way to distinguish "new certificates" from "The old and manual
> cruft" - for example, an explicit EKU
> > - Pick your poison.... er, CAs... for the new root store (e.g. as WiFi Alliance has
> done, or Wireless Power Consortium has done, or plenty of vendors have done)
> > - Have CAs issue certificates with both EKUs (old and new) in the leaf. It's a
> SEQUENCE for a reason.
> > - Have supplicants configured that
> >    - If new EKU is present, look in built-in store
> >    - If old EKU is present, require manual configuration
> >
> > This gets you half-way to #2: things can just work if you pick one of the new-
> CAs with new-EKUs, and otherwise require manual configuration for old-EKUs
> 
>   That's good, but insufficient.  There is a lot more verification that EAP
> supplicants need to do before automatically trusting a root CA.
> 
>   I suspect that most CAs already know that their customers mis-use certs for
> non-WWW purposes.  EAP / RADIUS is just a minor (almost insignificant) part of
> this problem.  I also suspect most CAs operate based on the hope that no one
> notices, and then requires them to revoke many, many, certificates.
> 
>   Alan DeKok.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email