IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Tim Cappalli <Tim.Cappalli@microsoft.com> Wed, 14 April 2021 17:29 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55A9F3A1882 for <emu@ietfa.amsl.com>; Wed, 14 Apr 2021 10:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNwBG5vV8b6U for <emu@ietfa.amsl.com>; Wed, 14 Apr 2021 10:29:11 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650115.outbound.protection.outlook.com [40.107.65.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 266FB3A1881 for <emu@ietf.org>; Wed, 14 Apr 2021 10:29:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqMnJBjMbDrXlpN0G3ETuNTOEEu4T67xIOHW37pcqTy9v43qA7zAsy7R3xy+kkUfxZVObrMhg2+CtXrGJiEQ0wzCJj2mxnA7Jb3FAoX+F0wvr2rWPJjH5YOlFBtKF4UFWLndJc0Qtc7wimXeqzEkNZIm5KdJwpkJxG7hPY7pJBPb0IjIeQe9QqMz3H3lABv/gQElr2RgzgY/PoiMEG895KzgFbONGZ4oSijNjnPaNLJxyyqHEuTBFDLlj+PGKilEghpqiavdJob/zbTxcUpTu/1vXXcCxWEY5uP8hVjoA7OHZQZgDLykV18jTOQJs4Tn+jVCr1fz2d48SgbZLc+0/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S4FVIIxS6S23VSzcgkNNN0pW8MP9Z5YF0pIWXpSsmkQ=; b=npxln1TywTBt5/FEczUgSKSh+0oX9prx2Ww65JQTcGpIIrUFvibVxgLFyPfKZ58Y7HPBrxMvYHF5GfYDoy1gnC2Kw6KYWRiFZkjajktAs9fMq18PZkAA92ftrUwnK3LU+1LhL8Lrh09Hxb9ML9O3Vvj5PO3BUAbs81GtB7et6zSzyw6LYsjeCNSzh1C1tNUyFTS6pZJ2AODkfQXn0tlFs69fgklQM9ZEwmQ54V0EWEfV+o4BHekwl/hEpqEhTzb3EXcUYJMEAy+fiobrqUNlt3mca+DjtmTVH421dt3VIXvwsrN534LZhTWm7RBKCw/5qcxbDGwGZ72qmlHOMr/40Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S4FVIIxS6S23VSzcgkNNN0pW8MP9Z5YF0pIWXpSsmkQ=; b=aJ8q18s9CA3s77ygfluLDaK5oXDi4XjTbt6gavFS2PuUtKCHGDasTi6Xxj3tiKQ0u5LauXIkbO2NAJi70xZS/e73FWag2j5xLb/XD3qLdTBE8P3BbLWJSGNpDtXwnCMDtKWbrTjoy1I97nHya847CxEVusSl9r4p83AtUFk5Z9s=
Received: from SA0PR00MB1036.namprd00.prod.outlook.com (2603:10b6:806:132::21) by SN2PR00MB0175.namprd00.prod.outlook.com (2603:10b6:804:14::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4084.0; Wed, 14 Apr 2021 17:29:01 +0000
Received: from SA0PR00MB1036.namprd00.prod.outlook.com ([fe80::65c2:f2bc:7f3d:1da3]) by SA0PR00MB1036.namprd00.prod.outlook.com ([fe80::65c2:f2bc:7f3d:1da3%4]) with mapi id 15.20.4080.000; Wed, 14 Apr 2021 17:29:01 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "aland@deployingradius.com" <aland@deployingradius.com>
CC: "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Issue 47 Certificate identity checks
Thread-Index: AQHXL0rNRD32n4jkC0uxRZYFBIRVJKqw1ZGAgAJS6ACAALohgIAAOsdPgAApJ4CAAAAb3g==
Date: Wed, 14 Apr 2021 17:29:01 +0000
Message-ID: <SA0PR00MB10363C95DBE00F917A750DC5954E9@SA0PR00MB1036.namprd00.prod.outlook.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com> <12533.1618359438@localhost> <9B6DEC06-E681-413D-9092-712C20924846@deployingradius.com> <SJ0PR00MB1039DF0140713A18B360B185954E9@SJ0PR00MB1039.namprd00.prod.outlook.com>, <BEB9C306-5EA2-461B-82B3-2319B4B459C6@deployingradius.com>
In-Reply-To: <BEB9C306-5EA2-461B-82B3-2319B4B459C6@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-04-14T17:29:01.214Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [108.7.218.223]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d3a2ebdc-dfda-44ea-102b-08d8ff6acb82
x-ms-traffictypediagnostic: SN2PR00MB0175:
x-microsoft-antispam-prvs: <SN2PR00MB0175A822338C3FFD08FEA14B954E9@SN2PR00MB0175.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GLTdpHxzpeKh+XDG228rYQRwqJMFPMWv0yovbHM0JYbmE/xxPr+v9wnXq+iNTQM2zS6LlR05j5PZrJUYsEEiqgsYmvZVhOBbRapOuqXja4BNfJKOKI6lximBNxqNV6UY6F6fPMXm5PsDyrypiWnnvJeALrcXiKEE0/+M3Oduhf6JSuuRe7naj1FYl8LDlwNvms8qwiN4sxtILVc/PufWFa6D3Du1Y06KvTH99m1N3gyJ2uP3pT9QvaPh17btjwQbltd7yD8ZjX7zJNPeB8IGChp+BajLFcMz3irQmdoRS2EAL6YMt0IgOOXtDq/TfYqbTAmBd9Ecq2D/sfBGz8rYf+9ahXwPm4qdB4VQPlj75nSRc5+QeqXy+h9F8icP0Pd5ABUnvF6POEsCIRmlfdNBvaYgdeJKsmQwx7CT3/HD0NNyG8S/WThaazBv52fVdE4E4+Rqd86f62ZaStXhqvg3HTVHtTLTycE2w17TtsCLL+ODV+vQ3Cq3JhpHiNslylEZBGUS/nP6VZauiyxWcpTGT9JY/qzOOIs5pMpmHfTtpsbduKGae6/vwcDlrfwvsrmY2bjW9vEzF1SOcc/lYs8XNAL8Qumrgj0HnBcM/kV79Xg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR00MB1036.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66476007)(66446008)(7696005)(66946007)(8990500004)(8936002)(66556008)(6916009)(10290500003)(64756008)(478600001)(54906003)(53546011)(52536014)(8676002)(4326008)(76116006)(91956017)(316002)(86362001)(186003)(26005)(83380400001)(71200400001)(122000001)(38100700002)(82960400001)(82950400001)(5660300002)(19627405001)(55016002)(9686003)(2906002)(6506007)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: LbmvPVPRkv1iMeK/rBIsss8nLItzY+hFjFkn/KSZkGgX5F1L1qUREHCEvcNaCV/1bNnq4pDFGr8dyy7cuNOazowajXnFdbxx7oXdqL5X5CWP50d9zL0EAoten/G3ongKpEISu1tIR5rmX85TGblxfvMP1ExrTqikKtcA5bffFn16xNoA9jggO3ciOgSqGiYYgHkuXmfwutC511VyJA9Ek9NG+PudNS5ziyf6Ex2F37xGykpVxlTQcuOBvr5Tm4ebI9JHAGjRKC1yeIF8bsRQ+QaPmx55ff7UQCNkSRuOQoj33x6OhjMLtE6tXZVyAhDh/n6aGDvVc/0SyP3Al8vuWe2L8SaBraa/C1h7FPp/YFuzk3+JUbnkMdUpt1PZxHQSatkHryJJhQnEbsfJhT5NdUPXfVzsLaulYe1OPGAQAeCmxPlPsfufHaC3S4T0sfNjM5vNEm8xw+0NCKODOtp93IfElrj4/X3IY6jYbU+H6Yj3upx1ILu7oSmW+gBKijtM1Zx61iO09Cg0awphyWiqvBybpx3q0m8ETNBRVW+Q+F6hq9Zxj8U4LvLJjsE8tro9thHpKl38SWX4jA15kUK3teb2c1QYx/SiE365ue6galmJ8TiZzUnhqwzmp5Np8YbfnE0djLgcnSc/vs/XobAXaYGievS3hy7eF35YdxeeRK/JaEGYGaRhBQU3eifSRR/l7RSNJu0XfM00Z2xDEbfBEcVmXLeGxV4CryTgSTVH+afxOC2ppl+5Kt2wJ7Wv0yoSkCB8Y0fSgqYXkDwMy9BLA2ApzYEwV1JMrgwVJLyrRa9cBQWF0nHQgUGdFyUHpMGgCmZZ2tgLp93ilemMUR0I0SixHTqnDUU7EFMKQK+2iWSfzYa/pyo1vRsSH/OHuLGXeuev29LSUE/JYPJtYMHShNOZOGPrlBtPF8P4HyBgyEQpjd1MIWbO64ujta1I5p2fO38rrcK5P6+hLx71lxbu6EeKZeLUBFskOPtsnSV9yTlGdh0Dtzh0dB6fJnIjXAgeTNe0hN9N6UOypnlOO9dUu75LWigsc2CETT5Ywt8Yt4kwt8RU+rC5dAS4gwwNGs9yzlodBbpGmjRRwTMGTPKvK7cvh8DTvPw09KSEAxK1fpsn4HjpWIXGTCZ1HhNbWvfFTYbX9+c8mbdcRD4Wx+ib5f7HsqMwDMTI9wh9LjyE+KTPV7FrFHsipCdRV/TSFUf07HiJMyOXG8f+onIHfaU0WOR3KzYF4Nm3KSJkWuqtL80=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SA0PR00MB10363C95DBE00F917A750DC5954E9SA0PR00MB1036namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR00MB1036.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d3a2ebdc-dfda-44ea-102b-08d8ff6acb82
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2021 17:29:01.7774 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eyJkhEarT9+9qR3hnl8Dl5JwM1La1wn3tI5FuNo9NZPdXgtl4XHJz461Qpg/QYw2cs6g/1dtdfKSlAQPN9/32Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR00MB0175
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/qN9LwHyy65868vyzkFQGdI2T0P0>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 17:29:16 -0000

The equivalent to HTTPS with EAP would be if the ESSID was a subject name in the certificate and ESSIDs could be registered and validated. That doesn't exist today and wouldn't ever really work (or scale). The closest thing to it is server certificates for Passpoint OSU, which have their own issues and aren't feasible for most deployments.

Given the significant changes required in both EAP clients and EAP servers for TLS 1.3, I think the time is appropriate for making the server certificate requirements more strict. This is likely the last chance for a long time.

tim
________________________________
From: Alan DeKok <aland@deployingradius.com>
Sent: Wednesday, April 14, 2021 13:21
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
Cc: mcr+ietf@sandelman.ca <mcr+ietf@sandelman.ca>; emu@ietf.org <emu@ietf.org>
Subject: Re: [Emu] Issue 47 Certificate identity checks

On Apr 14, 2021, at 10:56 AM, Tim Cappalli <Tim.Cappalli@microsoft.com> wrote:
>
> Honestly, no information in an EAP server certificate is good enough for a user to make a "walk up" informed decision.

  I'm curious how this is different from say, HTTPS.  The use-cases seem pretty similar.

> At least requiring an EAP-specific EKU or OID would require operating systems to separate out the EAP trust store.

  I agree 100% there.

> TLS Web Server Certificate should not be acceptable for EAP.

  Well, yes.  The question is how do we get there from here.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email