IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

"Eliot Lear (elear)" <elear@cisco.com> Thu, 16 January 2020 21:02 UTC

Return-Path: <elear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECE0712009C; Thu, 16 Jan 2020 13:02:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=FuuWH6r2; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=BIPo3KOD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V_Wr-Q_aRbx1; Thu, 16 Jan 2020 13:02:06 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B22C61200B4; Thu, 16 Jan 2020 13:02:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3755; q=dns/txt; s=iport; t=1579208526; x=1580418126; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=wkA5ZoFEnBi0db+Uz+y9DFIB/DMRQW27FcwWZglHAqI=; b=FuuWH6r2Qw2j3OLe+JAUMx9zuDrv5esj+jTcbZbWX2ZTgekEaJ6uCLJZ RKuhcIvkuGYeNrLSObTA2hS9Zaz9wBkiQaBuBRYIPDP8DK/mo7/DnTxIt Sz/UuQ41OIYW2eHyU0kykJF8ak2SrL4BBb24uEzS/O6h9a5M1lef0a0pS s=;
IronPort-PHdr: 9a23:SKy9LBc/5p37MTspF9qAdnBhlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKZD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/Yig3Fd5qX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C8AABvziBe/4YNJK1lHAEBAQEBBwEBEQEEBAEBgWcHAQELAYEkL1AFgTwIIAQLKodWA4Rahh+WC4RigS6BJANUCQEBAQwBAS0CAQGEQAKCAiQ0CQ4CAw0BAQQBAQECAQUEbYU3DIVfAgQSLgEBNwEPAgEIBDsHMhQRAgQOBSKDBIF+TQMuAaFKAoE5iGGCJ4J/AQEFhSkYgg0JgTYBjBsagUE/gREnIIJMPoQzg1iCLJYvmSEKgjmWMBuacIINhBGjQgIEAgQFAg4BAQWBUjmBWHAVZQGCQVAYDYgBg3OKU3SBKYoAAiYCBYE1XwEB
X-IronPort-AV: E=Sophos;i="5.70,327,1574121600"; d="scan'208,217";a="406880613"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Jan 2020 21:02:05 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 00GL24w2030434 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 16 Jan 2020 21:02:04 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 16 Jan 2020 15:02:03 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 16 Jan 2020 15:02:02 -0600
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 16 Jan 2020 15:02:02 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BJaj4H6Wc8Ka2NBAWnz7ksedneT2LXiEHR8mI+08BHjE1/+85q1qhIbhnePE0H4wcTqiWk4LOW84JM5KZIQCBNiC28MDDyTZxkOiD5fEkGpzxxMFHruXko6nztN1DQ6M9ivrhzj94WB5A1pp9O3STMlIU/F8R9FpD438ypFG3YV8SITiPLhQeK0hku5GqAeThZbzfClrXtqakRpeUvCM16Wz3YY6IJD+7exi6UxpEK39zKSbE3xU+Vrwj00dxyczc/oDCLFW2n4gAqv/mEaOQM8J4+5R0DRoNErzx376S2r9p35oP+WAlz42rWh7B7gGZdtyZyvmtHJ6Aqkh7V098A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i3W2Z6FH41FMhct7iAbLWXjDqNJ78XLjiuBRWST4kN4=; b=ZfSrc3EvpiqebA3CUfg9xJfDgIn6g3JDQCeptq+SG9O+ZtXXOvHoa7SiffEp2RrSr/oON6W5f1VFGNvWvD9BYpA6Mpd1lD1gF6uEeDGCcuOlLi6SmGsjF3jTCoPV/OR46UMm2cbyvyFGu1jwIbDB8EvBhCfTWrwRGkFNOzkRwWIm44YnCSSCoIhUVkHePB6i2F5zK431rcLqysehw0pqwJ4F1XrfLSwBGx5Tb/qfOpllJQRDiJyvwUrSuid0Lfqt5/l35NDSik++BOiH8jTGs3ImuSLQLmw+CTfI7t2T9TzKa8ukGTM7jmB5427L+w9wHvvUMkeUDEOPUtXR6kuQQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i3W2Z6FH41FMhct7iAbLWXjDqNJ78XLjiuBRWST4kN4=; b=BIPo3KOD6uxzHGHoBfI4uPLt4SD50xC1GoFRPLhwq2+6Wd6MdQGW7CIOPnoCufEDM6093pg6ohvo9MXvnlcvOcfyK00nY/dfUHlJlHLUDG3w6bfDzOhg2KvrC/sSnceZpmx7k1PFoIpMAhT3BEpkzommxC1hhK+MbkzSg3aj0bQ=
Received: from DM6PR11MB3995.namprd11.prod.outlook.com (10.255.61.204) by DM6PR11MB3770.namprd11.prod.outlook.com (20.178.231.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20; Thu, 16 Jan 2020 21:02:01 +0000
Received: from DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5]) by DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5%7]) with mapi id 15.20.2644.015; Thu, 16 Jan 2020 21:02:01 +0000
From: "Eliot Lear (elear)" <elear@cisco.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Alan DeKok <aland@deployingradius.com>, "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Thread-Index: AdWxNKzqTmo8NKHtQwSIp+NEgFXHNACbMPUABHRvF7QAAZ7ogAABuFUAAAClZwAAAxLIAAACFEUAAAKfAIAACUx2AAAM8UWAAAqZWwAAAp5ngAACZccAAAHKXAABm9jfAA==
Date: Thu, 16 Jan 2020 21:02:01 +0000
Message-ID: <48C23DF2-C578-482B-BCC3-69AABDAF983F@cisco.com>
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com> <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com> <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <CAErg=HF-so7nvNmYd04wJ-DCHYGarkHpt3XjTGOhFNT1h=69UA@mail.gmail.com> <10F5CCFB-7DBD-40DF-9C65-BCD0EB8CB838@deployingradius.com> <CAErg=HH_VNooEKr2p7ebdDScRorQxEfxJ30YpY7sEu84pk+6eg@mail.gmail.com>
In-Reply-To: <CAErg=HH_VNooEKr2p7ebdDScRorQxEfxJ30YpY7sEu84pk+6eg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=elear@cisco.com;
x-originating-ip: [2001:420:c0c0:1006::84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bbcdff21-8d7f-4b0e-0e44-08d79ac75523
x-ms-traffictypediagnostic: DM6PR11MB3770:
x-microsoft-antispam-prvs: <DM6PR11MB377079320AC47DE728FE9F9CBF360@DM6PR11MB3770.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 02843AA9E0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(376002)(396003)(39860400002)(136003)(189003)(199004)(66446008)(66556008)(2616005)(81166006)(81156014)(53546011)(6506007)(8676002)(64756008)(478600001)(6486002)(33656002)(86362001)(5660300002)(71200400001)(2906002)(54906003)(316002)(91956017)(76116006)(4326008)(6916009)(186003)(6512007)(8936002)(36756003)(66476007)(4744005)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3770; H:DM6PR11MB3995.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ws41OLRnvfu4wGPDyVtYK3rGFLajWwHoXPFFc21wRbZqLamzQWEunwccAoVfChj4WtuV7ADJY1kqVqoGnH4gNseJkyl4uwaxzbHy8EmXOL9GdKb+HVM5olXHO0Wps7+PXdtEP50eSHXfWTSPwNgVmifTQQvbm2ZPM1ECbsQt+AR640x7oFK9veqMit7OPchR5t4jfOh4JL6PWbaIf//GKuS4GgC0y0oJ7ccwdSzWEfUwt6PRmlBlMDuEA8eAydaT/7FyV+yyTfMkyY96UW7hjb1zEXjd8kKuBqgY7HhZhFNClU5rgnwPbqXiX3MpEoQWh6kHXRHVNJ4ID0+Jp5ejZz47Eu92J2wfz9xMk28D2lJvba4e61qn7LSvV0nWObhwZzAFg86YTIgi8eJRQDNP85iEC+IHVf+gf0aPg2WrCCuS9it3g01uklxhw8tcPvB6
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_48C23DF2C578482BBCC369AABDAF983Fciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bbcdff21-8d7f-4b0e-0e44-08d79ac75523
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2020 21:02:01.2585 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 97xcrO8jBFHlEDXNxNPhX6r+51MCSFNAJ8NOFOkHRApBVzZCxp9riHvGfk4BSXmI
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3770
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/dMTutzNTOdjoSK8VvsepDXZf15M>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 21:02:12 -0000


On 8 Jan 2020, at 17:29, Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>> wrote:


The CA must revoke if the certificate is misused; that's required by contract.
The CA defines what misuse means.
A number of CAs define misuse as "used for purposes other than TLS web server"
Ergo, obtaining and using certificates with EAP means these certificates are at risk of revocation.

Ok not for nothing but this is getting silly.  If a CA actually revoked a cert for someone using it for EAP, would they also have to revoke for someone using it for SMTP, XMPP, and IMAP?  Has that ever happened?

Eliot

v2.23.0 | Report a Bug | By Email