IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

"David B. Nelson" <d.b.nelson@comcast.net> Mon, 20 January 2020 17:28 UTC

Return-Path: <d.b.nelson@comcast.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47162120019 for <emu@ietfa.amsl.com>; Mon, 20 Jan 2020 09:28:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnFJ7hp-KwOk for <emu@ietfa.amsl.com>; Mon, 20 Jan 2020 09:28:36 -0800 (PST)
Received: from resqmta-ch2-07v.sys.comcast.net (resqmta-ch2-07v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDAF6120227 for <emu@ietf.org>; Mon, 20 Jan 2020 09:28:35 -0800 (PST)
Received: from resomta-ch2-08v.sys.comcast.net ([69.252.207.104]) by resqmta-ch2-07v.sys.comcast.net with ESMTP id tXIEiRcq3H8TstaqoicCzg; Mon, 20 Jan 2020 17:28:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1579541314; bh=QBE9c8pdZmgRR9Yip24H1PuCjTAt1+zjFMjthfFvgVU=; h=Received:Received:From:Message-Id:Content-Type:Mime-Version: Subject:Date:To; b=ACHM2G3s440JFJqn88lpdPWlVtmnR5W9NVdzSshvu5IUqJAokwTYOGWgcfw4SgxPe dNxjxcIMJO+F63/0B0vW3fVkXGw/DRIaftcNcZfJ63w8V4xnF4OcMX1hhcRvdAeORF t6XjGv4ps9NFRbaPrfze5MGO/6eMiOxBAyLFxCJa/HQ7e9fn8qCHC71Z0xf483SruF IO4L/M5MVQe8MlgydTIDPp92F7ANof25AZMuA83oFpIIfEVGIe0vGCZP4t8+9PxQAM tQiGdwvr0JNOvzEBXOD1RGv44gnqQMUs3dkNsboOC0xnUfY+kVHZYdEiLNka0mrQzX 7vahOOdPnn22Q==
Received: from [IPv6:2601:187:4000:6316:1cfb:cbcc:4e89:b6ef] ([IPv6:2601:187:4000:6316:1cfb:cbcc:4e89:b6ef]) by resomta-ch2-08v.sys.comcast.net with ESMTPSA id taqniuOrLay2utaqniokQT; Mon, 20 Jan 2020 17:28:34 +0000
X-Xfinity-VMeta: sc=-100.00;st=legit
From: "David B. Nelson" <d.b.nelson@comcast.net>
Message-Id: <D6C98596-AA42-48DA-B6BC-74F6506B8ED7@comcast.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B493F452-3D73-47DA-B6BD-835DDEAFC25B"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 20 Jan 2020 12:28:32 -0500
In-Reply-To: <CAErg=HFkQQpxprFNRKzn9Jhh=Em8UTLjBe7Em08fppyxROO=kg@mail.gmail.com>
Cc: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com> <CAErg=HFM4=V1YjD2Z7Rd5cNsDv6v9oTwKcbaTwhDdrQvOwtS9w@mail.gmail.com> <5ED33CB8-4C56-4117-A001-C2EB056CA80B@deployingradius.com> <CAErg=HF2L-XSQExoKz71QcZMqJdA-gn3KxnZwT1qypzBA9Hi3Q@mail.gmail.com> <22430B86-2680-4E50-AF12-A200FD051E8D@deployingradius.com> <CAErg=HGE-AwviP-VurLJ58vsmkK4uqVCfoqRK4TkEdbSRegN_g@mail.gmail.com> <4B648503-5B4D-4512-8692-94820388B894@deployingradius.com> <CAErg=HFkQQpxprFNRKzn9Jhh=Em8UTLjBe7Em08fppyxROO=kg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ksQ_S86BvT2WTr5kAQMpVkWKDC4>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 17:28:39 -0000

On Jan 20, 2020, at 11:51 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> 
>   Whether we have to convince "the OS vendor", or just "the supplicant division in the OS vendor" is largely the same thing.
> 
> It isn’t, and there’s been zero evidence to support that conclusion, but I can tell reality isn’t that convincing :)

I have to disagree with that.  There are exceptions to very rule, of course, but I have never downloaded, installed and configured a supplicant on any of my computing devices.  I’m a highly technical end-user (long time IETF and IEEE contributor).

> This is not about which department is involved. The distinction is about the scope of trust. Saying shipped in the OS, both in the context of this thread and more generally, is presuming a broad scope and maintained interfaces for third-parties, neither of which you need. Not recognizing that a “root store” on a modern OS is merely an abstraction over disparate trust bits is meaningful, particularly when not addressing what the “trust bits” should be or how they’re maintained.

And *that* is an artifact of the way vendors have chosen to ship their OS products.  I think what you’re saying is that large industry software providers aren’t going to change their behavior just because it inconveniences users (customers).  Maybe that’s true.  However, it’s an organizational and implementation argument, not a technical one.

> The IETF primarily targets those developers, not the end-user, and it’s essential to understand why and how it works to understand what work is needed to make something similar for EAP. Dismissing that as organizational structure just means dismissing the requirements and means to success, in which case, you’re going to be as unsatisfied as my appetite for a fresh unicorn burger.

Sure.  Standards are voluntary.  All *good* standards start with clear and accurate Use Cases and User Stories.  The ”users” have to include end-users, not just developers. Technical standards are successful when they solve end-user, market driven problems.  Standards that seek (primarily or secondarily) to preserve “the way we’ve always done it” among the vendor base, are not very useful, IMHO.

We all seem to agree that change is required.  Where we disagree is how change is implemented and who has to make it.  I’m not a unicorn-seeking idealist, but if the rationale behind a particular path to change is suboptimal because of vendor intransigence, then that needs to be very clearly documented for all stakeholders to see.

Regards,

Dave Nelson

v2.23.0 | Report a Bug | By Email