IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Russ Housley <housley@vigilsec.com> Sun, 19 January 2020 16:26 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4130412002E for <emu@ietfa.amsl.com>; Sun, 19 Jan 2020 08:26:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sieNy0Aran2n for <emu@ietfa.amsl.com>; Sun, 19 Jan 2020 08:26:42 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E72312001A for <emu@ietf.org>; Sun, 19 Jan 2020 08:26:42 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 5CC76300B0D for <emu@ietf.org>; Sun, 19 Jan 2020 11:26:40 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ScZn8dR8ViX4 for <emu@ietf.org>; Sun, 19 Jan 2020 11:26:36 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-51-198-163.washdc.fios.verizon.net [108.51.198.163]) by mail.smeinc.net (Postfix) with ESMTPSA id 6D1A33001CB; Sun, 19 Jan 2020 11:26:36 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com>
Date: Sun, 19 Jan 2020 11:26:36 -0500
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, EMU WG <emu@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, Ben Kaduk <kaduk@mit.edu>
Content-Transfer-Encoding: quoted-printable
Message-Id: <666A5BF7-29A2-4CD3-97CB-DAD8B96EC040@vigilsec.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/frDRzzCD2PNmiiAP054FswPwjjY>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jan 2020 16:26:44 -0000

It seems to me that RFC 4334 offers a way for an enterprise to assert that the certificate is intended to be used with a particular SSID.  This seems better than a self-signed certificate with just a domain name.

I understand that CA/B Forum does not allow these extensions and attributes, but as already highlighted in thi discussion, these certificates are not part of the Web PKI.

Russ

> On Jan 19, 2020, at 10:07 AM, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Jan 18, 2020, at 6:30 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
>> Great. Let’s focus on one problem at a time to make sure it’s easier to follow along. Earlier in the thread you seemed fixated on the first problem, so it’s unclear when/where/how shifted to the second.
> 
>  Perhaps less "fixated" than "trying to achieve a common understanding.
> 
>  It's best to understand the current situation before designing any solution.
> 
>> The alternative is the application ships it’s own root store. Which applications have been doing for 20+ years and which modern OSes make even easier.
> 
>  The question here is *what* root store?  It's easy for browsers to ship root stores.  The WWW root stores are well known. 
> 
>  What root store is already widely known, and trusted for EAP?
> 
>> Not really? CAs are plenty happy to sell whatever folks want. Look at stuff like the drone PKI being developed.
> 
>  CAs are in *theory* happy to sell things.  In practice, it's difficult to get non-WWW certificates.
> 
>> I already gave that answer several times. Define your profile and policies, pick (different) roots, and ship them in your software. It’s mistaken to suggest that you HAVE to use the same roots as the OS.
> 
>  I think you're operating from a WWW perspective.  That use-case is very different from EAP.  In WWW, 99% of the TLS-enabled traffic is from the server to the client.  The client doesn't know what the information is, and doesn't really care.  Even secret information like passwords sent to a web server are generated by / on that web server.  So a client can verify (a) the password was created for a proven server using a trusted CA, and next time (b) prove it's the same server, so it's OK to send over the password.
> 
>  EAP is completely different.  I have *my* password.  It's secret, and I made it.  I want to be sure that I give it *only* to the site which is authorized.  This means that I don't really care that a root CA is trusted.  That root CA might sign certificates for 1000 companies.  I want to have my password only to one company; the correct one.  I want the client supplicant to *not* hand my password to the other ones.  I have no DNS to leverage, either.
> 
>  To put it another way, in WWW, the server has data that the client wants.  In EAP, the client has data (passwords) that the server wants.  The trust models are very different.
> 
>  The goal then is to get to the point where a supplicant can verify that the server cert is signed by a trusted CA, *and* that it's the server cert that the client wants.
> 
>  Shipping a trusted root CA on the supplicant OS is the *only* way to do this.
> 
>> No, there doesn’t. That’s an unreasonable demand, because it’s insisting that advocates of the problem don’t want to actually do the work involved in developing a solution for the problem. There’s absolutely no reason to require that it be shipped as part of the OS. Plenty of PKIs exist without requiring that, and modern OSes make it easier.
> 
>  See above.
> 
>  This isn't just "ship a root CA with an EAP / RADIUS server".  That's a trivial problem to solve.  If you want to use a RADIUS server, it may be OK to trust the CAs included with that product.  The same goes for browsers.
> 
>  But what are the poor end users going to do with their EAP supplicants?  Pretty much *zero* of them have ever downloaded a supplicant "application".  So that route is completely off of the table.
> 
>  Instead the supplicant is shipped with the OS. Therefore, any root CAs needed by the supplicant MUST be included with the OS.
> 
>  It really is that simple.
> 
>  In conclusion, we need a new PKI, and the root CAs must be included with OS distributions.  But the OS vendors won't do that until we define the requirements, solution, and transition path.
> 
>  Alan DeKok.
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email