[Emu] Idea: New X509 Extension for securing EAP-TLS
Jan-Frederik Rieckers <rieckers@uni-bremen.de> Sat, 09 November 2019 17:33 UTC
Return-Path: <rieckers@uni-bremen.de>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FD7120178 for <emu@ietfa.amsl.com>; Sat, 9 Nov 2019 09:33:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uni-bremen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vNOaYAPj6rs for <emu@ietfa.amsl.com>; Sat, 9 Nov 2019 09:33:23 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07A7C120143 for <emu@ietf.org>; Sat, 9 Nov 2019 09:33:22 -0800 (PST)
Received: from [10.198.96.188] (tmo-111-8.customers.d1-online.com [80.187.111.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 479PPD2YfCzySG for <emu@ietf.org>; Sat, 9 Nov 2019 18:33:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=2019; t=1573320800; bh=OuZYVcyZ8cGEcMGBW3x8M8+bRS3N+2a/lT0qKHr2AE4=; h=From:To:Date; b=ofxlA2QDz32zT7n8aTGwvTwqb2CxcKVAXcj/foTsEK/AyWntnYp98h94KYoCXRMmE D9veYebSavyLc7kbZCFVwBxcZDCe60rzpxbzl2dZoljMHsZ9nMmw3I3VmCYRIzq8Fg 7TrIDu3Hg6LnSJed+6sFvMYN6tP5V89Gn6f1Xrt2NBddwg0eWcVcOXCqmFXyFWnPR0 ZwG6b5kWc9BaOKzf+PZH7oRfHaVI768ExoyHxMCGwH7lUNUtTHcVSAmrgU2s01ZNW/ ae5yAKEvaOX+MVNSddACtvyCoT84IjkKn7hu2myLa8zfS58xnIrn9LkCjwZs30gKB6 2ydht4T9We2IA==
From: Jan-Frederik Rieckers <rieckers@uni-bremen.de>
Openpgp: preference=signencrypt
To: emu@ietf.org
Message-ID: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de>
Date: Sat, 09 Nov 2019 18:33:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="awirpacQ37TSeWeUHdeKgwGFtHI3fiv1V"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/lnyggIQd8_73m1yH43uoKYD7UxU>
Subject: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Nov 2019 17:33:25 -0000
Hi to all, I have submitted a draft for a new X509v3 extension to improve security in EAP environments by including information which is implicitly defined by the communication context in the certificate . This is done e.g. by including the Realm of the username in the certificate, to give clients the opportunity to decide if the certificate can be trusted apart from (user-set) configuration. https://datatracker.ietf.org/doc/draft-rieckers-eapparameterextension/ This is a very early working state. I would be happy to get feedback if this is useful and the draft goes into the right direction. If people are interested I would prepare a short presentation about deployment experiences in the eduroam at the University Bremen, which have lead to this draft, together with the basic idea how to solve these problems. Probably this draft is not one which can or will be adopted by the EMU working group, but I think this is the right group of people for a first feedback. Kind regards Jan-Frederik Rieckers
- [Emu] Idea: New X509 Extension for securing EAP-T… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok