IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Alan DeKok <aland@deployingradius.com> Wed, 14 April 2021 11:23 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332543A1BC1 for <emu@ietfa.amsl.com>; Wed, 14 Apr 2021 04:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uCMttkXMIFQ for <emu@ietfa.amsl.com>; Wed, 14 Apr 2021 04:23:32 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A74A53A1BBE for <emu@ietf.org>; Wed, 14 Apr 2021 04:23:32 -0700 (PDT)
Received: from [192.168.46.152] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id A0B784B8; Wed, 14 Apr 2021 11:23:30 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <12533.1618359438@localhost>
Date: Wed, 14 Apr 2021 07:23:29 -0400
Cc: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B6DEC06-E681-413D-9092-712C20924846@deployingradius.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com> <12533.1618359438@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/s2XD4ju9e8IwP_dUV-Rbkr7Umdk>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 11:23:37 -0000

On Apr 13, 2021, at 8:17 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> Why did you need the HTTPS server cert?
> Did you need the OIDs, and stuff out of it?  Why wasn't the realm name enough
> to make the imposter cert from the non-authorized CA?
> 
> I'm just trying to understand how the HTTPS cert is involved here.

  The HTTPS cert contains a wealth of information which makes it look "real" to the average person.  All of that information can be cloned into the imposter cert.  So the only differences between the imposter cert and real one are (a) signing CA, and (b) key data that most people don't understand.

  What any mere mortal looking at the imposter cert will see "Yup, it has the right addresses, phone numbers, names, etc.".  For all intents and purposes, it appears to be real.

  This imposter process worked better years ago when supplicants would show the entire cert to the user.  Now, many don't even do that.  Some just show a fingerprint in a pop-up dialog, and ask the user "is this OK?".

  How that's useful to anyone is beyond me.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email