IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 20 January 2020 15:44 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D166612013D; Mon, 20 Jan 2020 07:44:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LIlFSGjWZR9Y; Mon, 20 Jan 2020 07:44:22 -0800 (PST)
Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95C9A12007A; Mon, 20 Jan 2020 07:44:22 -0800 (PST)
Received: by mail-ed1-f45.google.com with SMTP id b8so29900389edx.7; Mon, 20 Jan 2020 07:44:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4vfz96+Yue++rYtcbogTYfflJhtGPOZLPEjhOIqKAq0=; b=dUC3swlcyKARSWLE+f0wRo8lxtAo1XQLggmfkJBXPfXuI4cITI6p9BjjxaWJpOanxR nz1Te1BJdmsDdKyJSrw8xU6lz4K7J0b6aCpGWFbDmQAygsQ7/17rImH8KTmOkAjp0qqE WBeqVAVUWXQ4UjqeM+3n/etu9XD2QFsJPlhhDK0CBDlRCRMYHVUuYzhhuWL1Ke8Ittvn O9PdxxUDmNDHBNnsyAOp4a/rnF36ZAwuIyQU2n27NJielDT4chI3MmBlD8+ZvZZYNISg lU6QEHEW6zvZMHzDqtJMjVQrrjp6TdOxFpE5Ihqf7ViTE5vEuwLVIq7UcpaA/7rPfPiK sOzw==
X-Gm-Message-State: APjAAAXzNr5OTXG5tbTG0d3AZmAP5PC6M0Hq7E53S/xMdIiJ9bnLK78r 8PCkJxn7T/1LYM5BI9a5pRuwSImO
X-Google-Smtp-Source: APXvYqzTRo1nA7xpKqqNkwfqsFyi/JI/vKvwlJfHVGX/szRbTDI5QESxfUr/FpI8WlU0MKW7tc/8tw==
X-Received: by 2002:a05:6402:6c7:: with SMTP id n7mr17478735edy.177.1579535060874; Mon, 20 Jan 2020 07:44:20 -0800 (PST)
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com. [209.85.221.41]) by smtp.gmail.com with ESMTPSA id j19sm1303503edr.54.2020.01.20.07.44.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 Jan 2020 07:44:19 -0800 (PST)
Received: by mail-wr1-f41.google.com with SMTP id d16so30077901wre.10; Mon, 20 Jan 2020 07:44:19 -0800 (PST)
X-Received: by 2002:a5d:51cc:: with SMTP id n12mr104183wrv.177.1579535059387; Mon, 20 Jan 2020 07:44:19 -0800 (PST)
MIME-Version: 1.0
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com> <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com> <07C710A5-3B2A-4D15-8BB7-AB5A8B5EF5D1@deployingradius.com> <CAErg=HGf=3z+_S2f+_ciSunpi4W05aKxoxx=ozH9kXtooAJL9w@mail.gmail.com> <7C85D468-1D28-4C3A-BC3E-C42374933B51@deployingradius.com> <CAErg=HFM4=V1YjD2Z7Rd5cNsDv6v9oTwKcbaTwhDdrQvOwtS9w@mail.gmail.com> <5ED33CB8-4C56-4117-A001-C2EB056CA80B@deployingradius.com> <CAErg=HF2L-XSQExoKz71QcZMqJdA-gn3KxnZwT1qypzBA9Hi3Q@mail.gmail.com> <22430B86-2680-4E50-AF12-A200FD051E8D@deployingradius.com> <CAErg=HGE-AwviP-VurLJ58vsmkK4uqVCfoqRK4TkEdbSRegN_g@mail.gmail.com> <399CEA71-241C-4E34-833F-5777051A188D@comcast.net>
In-Reply-To: <399CEA71-241C-4E34-833F-5777051A188D@comcast.net>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 20 Jan 2020 10:44:08 -0500
X-Gmail-Original-Message-ID: <CAErg=HHtQNYa-YG=jnLoHM68EUs6MwRhVEKEw_V1wsDSTA80Cg@mail.gmail.com>
Message-ID: <CAErg=HHtQNYa-YG=jnLoHM68EUs6MwRhVEKEw_V1wsDSTA80Cg@mail.gmail.com>
To: "David B. Nelson" <d.b.nelson@comcast.net>
Cc: Alan DeKok <aland@deployingradius.com>, Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000200894059c942a1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/s5ppnNtNVzZATJUzee6toEMM9PQ>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 15:44:29 -0000

On Mon, Jan 20, 2020 at 10:13 AM David B. Nelson <d.b.nelson@comcast.net>
wrote:

> The arguments about the differentiated policies for use of certificates
> and trust of CAs is probably technically sound.  I think the notion that
> supplicant components can ship with a separate root CA store from that used
> for the browser is perhaps workable.  However, it’s still the OS vendor
> that must include this configuration for it to “just work out o the box”.
> For that reason, I think the claim that it’s not the OS which must support
> the appropriate CAs is a distinction without a difference, and perhaps a
> red herring.


It’s a distinction that cuts to the heart of the original proposal, echo’d
several times on this thread: Can’t we just use the TLS CAs shipped by the
OS today for this, ideally so that OS vendors don’t have any added work.

In that context, it’s essential to make the distinction that while the
end-user experience is indistinguishable, the engineering involved - and
the work of standards here - is meaningfully different. If we conflate the
two or think “let’s just use what we have”, then the world of zero touch
will not happen. That’s why it’s essential to focus on the notion of
defining a new root store, one that doesn’t have to be generally available
to software running on that OS, limited for a particular purpose, so that
we can enumerate the necessary profiles and practices.

It’s also essential to understanding that this solution isn’t gated on a
first-mover problem, as had also been suggested, where everything is doomed
unless and until the OS moves. There’s considerable work that can - and
should - be done, which makes it easier to bring about the second solution
(“zero-touch”), by making sure that the first problem (“what SHOULD you
do”) adequately focuses on making a transition possible.

>

v2.23.0 | Report a Bug | By Email