IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Alan DeKok <aland@deployingradius.com> Sat, 18 January 2020 19:23 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6000912003E; Sat, 18 Jan 2020 11:23:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0WlhnP6Hm8y; Sat, 18 Jan 2020 11:23:45 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2B5120019; Sat, 18 Jan 2020 11:23:45 -0800 (PST)
Received: from [192.168.46.130] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id C22727AD; Sat, 18 Jan 2020 19:23:41 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com>
Date: Sat, 18 Jan 2020 14:23:40 -0500
Cc: Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Joseph Salowey <joe@salowey.net>, Michael Richardson <mcr+ietf@sandelman.ca>, "Owen Friel (ofriel)" <ofriel@cisco.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com>
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/s1LMFqM74B2HxJH4aAcF_F7sRSs>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 19:23:48 -0000

On Jan 18, 2020, at 11:10 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> If the point was a singular CA seeming to violate their CP/CPS (that is, DigiCert), then yes, absolutely, you can go submit a CA problem report and the CA is obligated to respond in 24 hours with their analysis to your problem report. 

  I would recommend putting policies into practice.

  I disagree with those policies, so I don't feel responsible for putting them into practice.

> >  Those policies can best be described as "opaque".  There is no clear statement that "using certs with id-kp-serverAuth in non-WWW protocols is grounds for revocation".
> 
> I whole heartedly agree! To continue to connect it back to the original discussion, so that thread is not lost: if your use case (for example, EAP-TLS) wants to allow subjectivity and flexibility in how statements like this are interpreted, then you have to make sure other stakeholders are not also involved. That’s all.

  I don't understand the relevance of that statement.

  The concern is that *existing* CAs have policies which prevent EAP-TLS admins from using their certificates.  These policies apply to pretty much all non-WWW protocols.  The implication above is that these people can just start their own CAs.

  That's nice, but doesn't solve the problem.

>   Where can I get a certificate with id-kp-eapOverLAN?  Or where can I get a cert designed for use with STMP, XMPP, etc.?
> 
> https://wiki.xmpp.org/web/XMPP_Server_Certificates
> https://xmpp.org/about/xsf/records/proposals/intermediate-certificate-authority

  XMPP.  Not id-kp-eapOverLAN.  And not SMTP, not RADIUS over TLS  Not DNS over TLS, and so on.

> This is the problem with ignoring the broader message. “The CAs” is a term without useful meaning. Everyone can be a CA. You can be a CA. I can be a CA. Anyone who wants can issue certificates. There’s no set of entities blessed in some special power which only they can mint certificates, and thus their choices not to do so somehow be a sign of neglect.

  That is mostly true, but unhelpful.  Windows doesn't ship with "Billy bob's tackle shop & CA" root certificates.  Neither does Linux, OSX, etc.  Your statement here is just a rephrasing of "use a private CA", and "manually configure things".

  The root CAs that ship on modern OS distributions *are* blessed with a special power.  Only they can mint certificates which are *automatically* trusted by most applications on the OS.

> Want id-kp-eapOverLan? Sure, plenty will happily do that for you, for a price. Don’t like the price? Run your own CA and issue them yourself. There’s zero cost, and plenty of open-source tools to make “run your own CA” be a single line on a command-shell.

  Windows actually *forbids* id-kp-eapOverLAN from being used by the well-known root CAs:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj200219(v%3Dws.11)

...
You must deploy a private CA rather than obtain server certificates from a third party public CA. In addition, the certificate template that you use to issue the certificates must contain the RADIUS EKU extension. This extension is id-kp-eapOverLAN and the object identifier (OID) for this EKU is 1.3.6.1.5.5.7.3.14. This EKU extension can only be configured on a private CA and is used by Windows 8 to determine whether a private CA issued the certificate.
...

  This use-case would also seem to be outside of the scope envisioned by RFC 4334, which applies to client certificates.

> Now, it may be that when you CAs, what you mean is “I can’t get a certificate from the set of organizations that operate private keys/trust anchors, trusted for this purpose in a default install of my operating system / browser / insert X here, and which chains to that public key”. That is, you can’t get one of these certs chaining to the same root. Some might, but you’re right, that’s much more rare. And that’s a feature, not a bug or neglect, because you should be using separate hierarchies if you have different needs.

  That statement is a decade too late.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email