Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Ryan Sleevi <ryan-ietf@sleevi.com> Sat, 18 January 2020 23:30 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31962120043; Sat, 18 Jan 2020 15:30:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3a_H5Cmt9vc7; Sat, 18 Jan 2020 15:30:24 -0800 (PST)
Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84A3A120025; Sat, 18 Jan 2020 15:30:24 -0800 (PST)
Received: by mail-ed1-f53.google.com with SMTP id i16so25984096edr.5; Sat, 18 Jan 2020 15:30:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Jdosa3tNDntkTvxnwQehtYNgl3waojzh5COKi88WATM=; b=pNcIIUB7Ja9jdW/BLGFcljL5PI5IRiv5lDM4Lrmeav5kONrNYpGlovtaIT9/F/R2nn He3kk44EgRMfkAr7oL0fmraT/f2TI61JW2qIYv535eq+PW7UHx41+Jv/sJKzPZukABOp +L2ECcna4Azu1BEZl6Sy4ri76UC7ENltTu9zYPHkALdzPOlzZWFcRcz6xAZY1iM4o1cC R4awQf93bnZFjtfKZhuXmdjCS2kBlc5VBdWYwy1DFeNTZ4eXEe099fxiFUeMXA1QKCZn lg+FnfFg8DKclkaBWOx+9GtBf25XecrwY7cYWUcpXBF37NAUzAuVbD90gAImaHS1M6xq x9vg==
X-Gm-Message-State: APjAAAVT/22c8E5iZzFvtafC3E6DPa50v298gyW+BkPFqCDjj9J5tPb+ fLJwGyxxdhx/PYhIfzLvpVfY1Ycb
X-Google-Smtp-Source: APXvYqzO8B9QDt6MTZiPsyOFX1PyHuZLxndKcn067XHcieVGIQVgCrWWgW4lKEHzn/UXJUGolOEiMw==
X-Received: by 2002:aa7:d4d2:: with SMTP id t18mr10725920edr.223.1579390222699; Sat, 18 Jan 2020 15:30:22 -0800 (PST)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com. [209.85.128.51]) by smtp.gmail.com with ESMTPSA id va15sm935970ejb.18.2020.01.18.15.30.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 18 Jan 2020 15:30:22 -0800 (PST)
Received: by mail-wm1-f51.google.com with SMTP id 20so11116608wmj.4; Sat, 18 Jan 2020 15:30:21 -0800 (PST)
X-Received: by 2002:a1c:ddd7:: with SMTP id u206mr12133465wmg.159.1579390221578; Sat, 18 Jan 2020 15:30:21 -0800 (PST)
MIME-Version: 1.0
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com>
In-Reply-To: <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sat, 18 Jan 2020 18:30:10 -0500
X-Gmail-Original-Message-ID: <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com>
Message-ID: <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Joseph Salowey <joe@salowey.net>, Michael Richardson <mcr+ietf@sandelman.ca>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001e7923059c7271ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/hmE8Zwkw8zNvd1hdD3BAfjkY8To>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 23:30:26 -0000
On Sat, Jan 18, 2020 at 5:58 PM Alan DeKok <aland@deployingradius.com> wrote: > I'm trying to solve the problem of bootstrapping. I agree that various > CAs have various rules. I agree that anyone can run their own private CA, > and do whatever they want. I've been doing that, and recommending it, for > ~20 years. Great. Let’s focus on one problem at a time to make sure it’s easier to follow along. Earlier in the thread you seemed fixated on the first problem, so it’s unclear when/where/how shifted to the second. When the CA *isn't* included with the OS distribution, it means that CA > *cannot* be used to bootstrap TLS-enabled applications. Each application > (not just EAP) MUST be manually configured with the CA. This isn’t true, if you mean that the end user needs to manually configure. Modern OSes allow the application vendor - such as the supplicant vendor - to explicitly configure. The alternative is to ask the application to naively trust a CA it > doesn't know, and a CA which isn't included with the OS distribution. I > don't think that will happen. The alternative is the application ships it’s own root store. Which applications have been doing for 20+ years and which modern OSes make even easier. It's easy for a browser vendor to tell a CA "issue certs our customers > can use". It's much, much, harder for anyone else to do the same thing. Not really? CAs are plenty happy to sell whatever folks want. Look at stuff like the drone PKI being developed. What other application developers can’t do - and this is intentional - is to get their certs and profiles for the same roots, even if they’re the same issuing organization. It's less of an objection than a statement that we're back to the initial > conclusion: use a private CA, manually configure, and ignore the root CAs > shipped with the OS distribution. > > How does that help with the bootstrapping problem? I already gave that answer several times. Define your profile and policies, pick (different) roots, and ship them in your software. It’s mistaken to suggest that you HAVE to use the same roots as the OS. I'm happy to use a new PKI. But we *cannot* and *must not* rely on every > application to "do it yourself". There must be a trust anchor shipped with > OS distributions, that applications can leverage. No, there doesn’t. That’s an unreasonable demand, because it’s insisting that advocates of the problem don’t want to actually do the work involved in developing a solution for the problem. There’s absolutely no reason to require that it be shipped as part of the OS. Plenty of PKIs exist without requiring that, and modern OSes make it easier. Now, it may be that OSes do this, in the future, but that only happens by first building the profile and policies. Because that’s all an OS root store is: a set of CAs known to meet particular profiles and policies. Anyone can define that. > It’s completely unreasonable to be complaining “CA X won’t let me use > certificates for this purpose” if you’re not addressing that with CA X. And > it’s completely unreasonable to complain that Root stores intended for use > case Y cannot be used with use case Z. Hammers make lousy screwdrivers, > even if they are both “tools one uses when building furniture” > > Sure. So how does *my* application get Microsoft, Apple, etc. to ship a > new PKI? Provide a problem statement and a solution that’s compelling enough for them to use? Fixating on the “new PKI” or “must be shipped in the OS” is completely unreasonable expectation, especially when even the _existing_ PKI doesn’t solve the bootstrap problem unless you convince the OS. There’s zero advantages to using extant PKI, and ample downside, and you can move quicker and ship things by just doing the work.
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- [Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
- Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker