[Emu] EAP/EMU recommendations for client cert validation logic

"Owen Friel (ofriel)" <ofriel@cisco.com> Sun, 15 December 2019 21:01 UTC

IronPort-PHdr: 9a23:ceu77RCn3LMVrucYho4aUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuK/DwbiE+NM9DT1RiuXq8NBsdFQ==
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: "spasm@ietf.org" <spasm@ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: EAP/EMU recommendations for client cert validation logic
Thread-Index: AdWxNKzqTmo8NKHtQwSIp+NEgFXHNA==
Date: Sun, 15 Dec 2019 20:53:01 +0000
Message-ID: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB3901F9B86DAC83AF67FBA49DDB560MN2PR11MB3901namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7acbaf8b-a843-4dbe-ca3a-08d781a0c64c
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2019 20:53:01.7296 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oLm0lke4CtZKtU18dbwTkxpNhSLKx9VA2sEF2k11jxgp/iAaLmv4vd+MzAEcoNyQUB2k8SRV+N/6Va5gRN7qlw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3823
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/onQudtmAOE07utViNMPE1zES4Aw>
Subject: [Emu] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Dec 2019 21:01:36 -0000

Hi,

At ACME meeting at IETF106, the last discussion of the week was around EMU looking for recommendations for EAP client/peer/supplicant cert verification logic when the client is verifying the cert that the EAP server presents. Minutes here: https://datatracker.ietf.org/doc/minutes-106-acme/  The recommendation was to ask lamps. This was also discussed on EMU mailer recently.

Quoting some additional background that Alan gave on EMU mailer:


"Background:



a) the current practice in TLS-based EAP methods is to use certificates with "id-kp-serverAuth" OID set for Extended Key Usage.

b) many supplicants check for this OID, and refuse to perform authentication if it is missing

c) supplicants do not check DNS names or any other field in the certificates

d) as a result of this lack of verification, supplicants ship with all known CAs disabled for TLS-based EAP methods"

The key consideration is that RFCs that recommend cert fields for EAP servers that clients should check for are not currently issued by public CAs, and in some instances (e.g. SSID) ownership can often not be proven by CAs.

For example:

https://tools.ietf.org/html/rfc4334#section-2 id-kp-eapOverLAN EKU

https://tools.ietf.org/html/rfc4334#section-3 id-pe-wlanSSID

https://tools.ietf.org/html/rfc7585#section-2.2 NAIRealm

If an EAP server operator wants to use a public CA identity cert on their EAP server, what recommendations should we give to EAP clients so that the supplicant code can handle public or private CA issued EAP server identity in a secure a fashion as possible?

If at some point in the future, public CAs are willing to issue certs with some or all of the above fields, then what is the migration plan, what do we tell EAP clients to do now, and how to they migrate their verification logic?

The ideal experience would be along these lines for a client with real user interactions:
- client connects to an EAP server
- client prompts user for userId + realm and password
- client verifies server cert has id-kp-eapOverLAN set
- NAIRealm in cert matches user's realm
- verify the cert signing chain

The reality today is that if the server cert is issued by a public CA, then all that client can really check is:
- id-kp-serverAuth is set
- dNSName in cert matches user's realm
- verify the cert signing chain

We would like to document some recommendations for EAP clients and EAP operators so that public CAs could be used, and recommend checks for public vs. private CA issued EAP server certs.

It seems like logic should be something like:

- recommend EAP operators with private CA issued certs on their EAP servers set id-kp-eapOverLAN and NAIRealm set
- recommend EAP operators using public CAs get EAP server certs with id-kp-serverAuth and dNSName set
- recommend clients enable trust in public CAs
- recommend clients implement different cert verification logic depending on whether the EAP server cert is issued by a public CA or private CA
- for public CA certs, client checks that id-kp-serverAuth is set *and* dNSName matches user realm. If either check fails, reject.
- for private CA certs, client checks that id-kp-serverAuth or id-kp-eapOverLAN is set *and* NAIRealm matches user realm. If either check fails, reject.

- as a longer term goal see if public CAs will issue id-kp-eapOverLAN and NAIRealm. Although of course if some were to start doing this, then there is a migration challenge, and clients cannot make a hard check for these values against all public CAs. This doesn't really seem practical in the near term at all.

Note that for an IoT device, there is some work to do to define how to e.g. extend the RFC8366 so that it can specify the dNSName that devices should check for when verifying EAP identity where they EAP server uses a public CA. Some related options are outlined in https://tools.ietf.org/html/draft-friel-anima-brski-cloud-01.

Comments/thoughts?

Regards,
Owen

Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
[Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker