IETF Logo Mail Archive

Re: [Emu] Best practices for supplicants and authenticators

"Cappalli, Tim (Aruba)" <timc@hpe.com> Mon, 18 November 2019 15:23 UTC

Return-Path: <prvs=022527b33b=timc@hpe.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3958120962 for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:23:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DCFGDsJRBFi7 for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:23:11 -0800 (PST)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86081120961 for <emu@ietf.org>; Mon, 18 Nov 2019 07:23:11 -0800 (PST)
Received: from pps.filterd (m0150241.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAIFLNta025083; Mon, 18 Nov 2019 15:23:05 GMT
Received: from g2t2353.austin.hpe.com (g2t2353.austin.hpe.com [15.233.44.26]) by mx0a-002e3701.pphosted.com with ESMTP id 2wbq38ugcy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Nov 2019 15:23:05 +0000
Received: from G2W6311.americas.hpqcorp.net (g2w6311.austin.hp.com [16.197.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g2t2353.austin.hpe.com (Postfix) with ESMTPS id EB3E996; Mon, 18 Nov 2019 15:23:02 +0000 (UTC)
Received: from G9W8670.americas.hpqcorp.net (16.220.49.29) by G2W6311.americas.hpqcorp.net (16.197.64.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 15:23:00 +0000
Received: from G9W9210.americas.hpqcorp.net (2002:10dc:429b::10dc:429b) by G9W8670.americas.hpqcorp.net (2002:10dc:311d::10dc:311d) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 15:22:59 +0000
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (15.241.52.10) by G9W9210.americas.hpqcorp.net (16.220.66.155) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 18 Nov 2019 15:23:00 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b6nh7QjJV2wlTRC9017sjQet4okM6qB1XAX4vKu0j97BnSflEQ6wfd7As8nKM7oYib9Mx4C+EKFTBbznsmfGNMG40TCC+xiqZ6GaPOJ7AK9AEcGzVY39Si2WxLt2/VWQEOswyG/dCWldI5AEgv6EHc//0LOS+v8lO/DHZxaEX5FtAWWJxGwMLLRrOJ2MjXCgvRlADfqKwiDDdB77B9J16cR9kkGp5xfl8nC14V3WEJIvPkKATFowrhkD/C1g+GCCbzxNti7D+2kiTJj5mddJE1n0TFjie705BYgoxardabyJuWqhEokb9t5x8XNalekmzQARAi3vNQS5TqGSsaeRoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JaM9wd5c9JHeACKIoRu8KZK4OraqQ86snQiKPl32Hdw=; b=G33UOz1gC9vIa2OZ0+yGM1EVUORS0CkFOjMz/AkF8WxC8PHdS6hybObLynxbGNuDpv6zv9yK/mzuqzQxygR8/dxfSlmg9JXHFaAUfbpcYzcNyeoiD0zP3/+IUBij7OEDJMUm/tpo1j6he600guai6SV/lDTkkAFyFsDphVo8jrFz8bpRBvrZb7MXa7mPNwl2kSNflgi7vnqcECTxrEI0SP8tMJGXNS/oDAx4NZuLFegO3yb0Y2BCe3ltGoxDCVn4BQaKEtNGqIxPtBxmMUfjkGJ3jYdDl8Kzyb6AcHrOdhy0OwSuTDEj8TerwnCuG7KxVB7O5M9HKgUMVS6BGaP9Ow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB0500.NAMPRD84.PROD.OUTLOOK.COM (10.169.2.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Mon, 18 Nov 2019 15:22:58 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110%11]) with mapi id 15.20.2451.029; Mon, 18 Nov 2019 15:22:59 +0000
From: "Cappalli, Tim (Aruba)" <timc@hpe.com>
To: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Best practices for supplicants and authenticators
Thread-Index: AQHVnhsKV+GRtV0vSkCNpQk4qcIR6KeRC18/
Date: Mon, 18 Nov 2019 15:22:58 +0000
Message-ID: <AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
References: <526166D8-80B9-4356-84D9-52ACD49E004B@deployingradius.com>
In-Reply-To: <526166D8-80B9-4356-84D9-52ACD49E004B@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:470:88f7:1621:610c:c87:2f84:f471]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8be77fc3-a9bf-4df7-391b-08d76c3b31c4
x-ms-traffictypediagnostic: AT5PR8401MB0500:
x-microsoft-antispam-prvs: <AT5PR8401MB05007D00E92F632CB24C243BDB4D0@AT5PR8401MB0500.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(396003)(39860400002)(376002)(136003)(51444003)(199004)(189003)(6116002)(6306002)(81156014)(81166006)(9686003)(256004)(14444005)(5660300002)(33656002)(486006)(7696005)(71190400001)(55016002)(71200400001)(6246003)(476003)(99286004)(76176011)(25786009)(54896002)(76116006)(102836004)(2906002)(6436002)(8936002)(8676002)(66446008)(229853002)(64756008)(6506007)(7736002)(53546011)(66476007)(66556008)(11346002)(236005)(316002)(110136005)(606006)(446003)(14454004)(74316002)(478600001)(52536014)(46003)(86362001)(66946007)(186003)(966005); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB0500; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IaChIMKdHpF0HZijQtzeVvdFEnF1A4en56zutIvetjYMIQ1KuzbHrGZh1WXNbNWTCAEK4GNQhrN7EIItrCRbpODNbzWPotO8LVkID0fYfhlQsoIh9T2tISB3odsBMnFdS69JdT1CUm9uRjMXZGgUx5UtFfc+RbaRFDsBFsGXO1oD0NusuyGZfz3XSb6C80358pUrzaV2OahdHq97oexX/UoUWMGCUaZ/sOFve1Cz1qy8ouAyf1XF1+Jle0grx7TyKvbVE0p+CseEqQNhCqtymcaBJKIq/uxjRsnTft9ILEtzUMjTIvNGvt8iZiePPNBVDruvv7tHVaYM4tvMMBpVXhQmbYbnn6+a3mnXR+0w6xwCsf/SIa1ZnFU/NJRKdFmLZ5di5MKrheQI7f64ZWXLnqh7Z277h+R4eDwKL5DleMtZzWCS467qYO+4nRhMpFkJ
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0AT5PR8401MB0530_"
X-MS-Exchange-CrossTenant-Network-Message-Id: 8be77fc3-a9bf-4df7-391b-08d76c3b31c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 15:22:58.8828 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: H2mbluEbOeKAqhIO343YswUc0pLbZ/hyo2xB2tyWy+K52IGYjLU0Y1vyNC7YjKuQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB0500
X-OriginatorOrg: hpe.com
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-18_03:2019-11-15,2019-11-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 impostorscore=0 clxscore=1015 priorityscore=1501 spamscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxlogscore=813 adultscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911180140
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/k6jQfIetbKQZ69BgzDJF9XBDmfU>
Subject: Re: [Emu] Best practices for supplicants and authenticators
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 15:23:14 -0000

So again, if NAIRealm is not bound to an organization’s public domain name, how does a public CA prove ownership of an NAIRealm? How is this different than ESSID?

I don’t see how this improves assurance of a server identity.

tim

From: Emu <emu-bounces@ietf.org>
Date: Monday, November 18, 2019 at 9:18 AM
To: EMU WG <emu@ietf.org>
Subject: [Emu] Best practices for supplicants and authenticators
  After the meeting earlier today, I made some notes on best practices for supplicants and authenticators.  I think it would be useful to have an official WG document which gives guidance.

Background:

a) the current practice in TLS-based EAP methods is to use certificates with "id-kp-serverAuth" OID set for Extended Key Usage.
b) many supplicants check for this OID, and refuse to perform authentication if it is missing
c) supplicants do not check DNS names or any other field in the certificates
d) as a result of this lack of verification, supplicants ship with all known CAs disabled for TLS-based EAP methods

  If the supplicants did ship with root CAs enabled, then because of the lack of validation in (c), the supplicants would hand over user credentials to any authenticator who has a properly signed certificate.  This is wrong, and is why all of the root CAs are disabled.

  It would be useful to simplify the user experience when working with EAP-TLS.  It would also be useful to reduce security issues.  This is where a new document is needed.  I believe that the standards exist to support these goals.  However, there's a lack of guidance around using these standard.  It would be good to document current practices, and then give guidance on how to upgrade to better practices.

  I'll start off describing the end goal, and then discuss how we can get there.

  The goal is to have certificates which contain the id-kp-eapOverLAN OID (RFC 4334), and either the NAIRealm OID (RFC 7585), or a similar one dedicated to TLS-based EAP authentication.  Supplicants can use these fields to verify that the certificate is both intended to be used for TLS-based EAP authentication, and that the certificate is for a given realm.

  The end user experience *should* be something like:

* connect to a system which uses 802.1X authentication (SSID, wired, etc)
* prompt the user for full credentials (user id + realm / password)
* validate that the server certificate has the id-kp-eapOverLAN OID set, AND that the NAIRealm OID matches the user's realm
* validate the certificate chain

  If those validation steps succeed, then the supplicant could send the users credentials over the EAP method.  I think that this extra validation means that supplicants can trust known root CAs by default.  Which makes the user experience much better.

  Since the certificates do not currently contain these fields, and supplicants don't check them, we need an upgrade path.

  The first step is to suggest that admins generate certificates with the above fields.  This likely means that certificate authorities will be asked to sign certs with the NAIRealm OID, which they might not do.  This limitation is less of a problem in a roaming federation like Eduroam, where they are their own CA.

  The next step is to suggest that supplicant vendors upgrade their systems to allow the id-kp-eapOverLAN OID, *or* the id-kp-serverAuth in server certificates.  That is a simple change, and shouldn't have any negative affects.

  Supplicants can also be upgraded to check the NAIRealm.  If the field does not match the users realm, then the certificate should be rejected.  If the field does match, then the supplicant should validate the certificate chain.  This validation should also include trusting known root CAs by default.

  We should also recommend that supplicant vendors check the id-mod-dns-srv-name-88 and id-mod-dns-srv-name-93 fields of server certificates.  If the domain names there do not match the realm given by the user, then the user should be warned, and the certificate rejected.

  If accepted, I think that such practices would tremendously simplify the use of TLS-based EAP methods for both users and administrators.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email