Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Ryan Sleevi <ryan-ietf@sleevi.com> Sat, 18 January 2020 21:11 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E11F1120019; Sat, 18 Jan 2020 13:11:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhYgKu9a1s3n; Sat, 18 Jan 2020 13:11:25 -0800 (PST)
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F115120074; Sat, 18 Jan 2020 13:11:25 -0800 (PST)
Received: by mail-ed1-f43.google.com with SMTP id b8so25814774edx.7; Sat, 18 Jan 2020 13:11:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WRefz/pczOuDH44plo2AiYWL70WXXEqt0vl7y//msMk=; b=FrH+NprwIkAVaRe6w+vSm6AHas2zI3IOsv/QQFXeIZ7lKcjEHFOveaKfWMK1AMavdA Y3Y7SOJK2euSFssQh0PZd1AGOTLp75ZPCanwujDpZVQ0MyZWS3MlKEkeyG6FSRq9mJ0y d3VEOOFEyP3OgWAle+yYIST5W5O7wAhJYRy+FMovLi8CN5Z3p6YOBKhFE87gxaGXk4y9 UCFufYhf81loQw31yAVdkCB9h8YQb20LQc2yTtNIWcDgjMKVn+UX8erJUrpwFod7XFvt Ls0Z55QsWdOfdj7I68lIsf+5Xhtow4ouwcrfCvOhTIK1qEGgqcO1/NoefkKRlwAyzaPY E3Sw==
X-Gm-Message-State: APjAAAVjASYQWaX9pgQibK6HQn/x6nrWiqgmmFCMXa6avGNmQxid/FsX ybfDDufdIEsNGyPAw5p08pKDLttg67c=
X-Google-Smtp-Source: APXvYqy6zpMvVzT7MFAMRSlXw+3LjbzOHtFBDVok36XM4lMvjF8CwFgDSpn1Qk3t0LiHeMyZofjCmw==
X-Received: by 2002:a05:6402:1d9a:: with SMTP id dk26mr10921026edb.37.1579381883302; Sat, 18 Jan 2020 13:11:23 -0800 (PST)
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com. [209.85.128.42]) by smtp.gmail.com with ESMTPSA id o1sm1162958edr.14.2020.01.18.13.11.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 18 Jan 2020 13:11:22 -0800 (PST)
Received: by mail-wm1-f42.google.com with SMTP id a5so10712781wmb.0; Sat, 18 Jan 2020 13:11:22 -0800 (PST)
X-Received: by 2002:a05:600c:149:: with SMTP id w9mr10617395wmm.132.1579381882379; Sat, 18 Jan 2020 13:11:22 -0800 (PST)
MIME-Version: 1.0
References: <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <316CC74D-667B-4A1E-AD48-A702DF705423@deployingradius.com> <6191.1578513600@localhost> <CB67C090-4D6A-4586-AD7C-99A29EF5D92D@deployingradius.com> <CAOgPGoDADPY125Bf7mbPCpEVkwVF=YmbG9wAN0S-WyCWg27BCw@mail.gmail.com> <20200116040715.GC80030@kduck.mit.edu> <CAErg=HHwLOw9sL2=nGca5MuuyiV2Zghrp6prR7SqLJAvfCLmjA@mail.gmail.com> <B3A03277-C176-4E63-ADB3-70133E2ABA46@deployingradius.com> <MN2PR11MB3901D1B17802F2DACCC8966CDB300@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HE0XDbhuibtky5VhvZYUnQxDitLSEuf4uzXnuByNQN+4Q@mail.gmail.com> <55CE7F32-B5DE-44F5-AE06-72BE12FA05FF@deployingradius.com> <CAErg=HH8LjqMR37Ek1uK12uCDj4N89Ot=Fm_PLOBdeXsv3sdpw@mail.gmail.com> <7F591857-4B7B-41BD-B101-6C40BE527644@deployingradius.com> <CAErg=HF9SQCmP9hi8SP-EstyYL-qVLWMeitP2AHc3T6ZWZM4vQ@mail.gmail.com> <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com>
In-Reply-To: <9AADAAD6-0A66-4198-AFBF-DBC2D87DBFA0@deployingradius.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sat, 18 Jan 2020 16:11:11 -0500
X-Gmail-Original-Message-ID: <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com>
Message-ID: <CAErg=HE8WO1oU=ZUxMeJZpxVyM_6ypCn-3_9UqKkMv44c7Do=Q@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, EMU WG <emu@ietf.org>, Joseph Salowey <joe@salowey.net>, Michael Richardson <mcr+ietf@sandelman.ca>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000106385059c7080e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/sO7HxncpgzGLHOH7PPEdoslrxNA>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 21:11:27 -0000
On Sat, Jan 18, 2020 at 2:23 PM Alan DeKok <aland@deployingradius.com> wrote: > > Where can I get a certificate with id-kp-eapOverLAN? Or where can I > get a cert designed for use with STMP, XMPP, etc.? > > > > https://wiki.xmpp.org/web/XMPP_Server_Certificates > > > https://xmpp.org/about/xsf/records/proposals/intermediate-certificate-authority > > XMPP. Not id-kp-eapOverLAN. And not SMTP, not RADIUS over TLS Not DNS > over TLS, and so on. You’re conflating several things, as well as seemingly shifting the goal posts here. Perhaps it’s just a poor expression of the problem, as you see it, in which case, it might help to be clearer. _Some_ CAs forbid their certificates from being used with web servers. _Some_ CAs forbid their certificates from being used with SMTP, or DNS over TLS, or XMPP. If those CAs certificates are used for those purposes, they need to be revoked if the CA obtains evidence of this. If the CA doesn’t like that, they can change their policies - although in many cases, how they’ve forbidden things do not retroactively permit it. If the Subscriber doesn’t like this, they can choose another CA. If the software developer doesn’t like this, they can trust different CAs. Can’t get eapOverLan from a TLS CA? Ok. That’s not a bug, that’s not a misdesign, that’s how it works and is supposed to work. The CA you’d like to use has a policy that forbids using your certificates that way? Find a different CA. Run your own internal CA. These aren’t difficult or unreasonable things. > This is the problem with ignoring the broader message. “The CAs” is a > term without useful meaning. Everyone can be a CA. You can be a CA. I can > be a CA. Anyone who wants can issue certificates. There’s no set of > entities blessed in some special power which only they can mint > certificates, and thus their choices not to do so somehow be a sign of > neglect. > > That is mostly true, but unhelpful. Windows doesn't ship with "Billy > bob's tackle shop & CA" root certificates. Neither does Linux, OSX, etc. > Your statement here is just a rephrasing of "use a private CA", and > "manually configure things". Yes, exactly, which is why I’m not sure the objection. This is why I tried to cleanly separate out the problems, which seem to keep getting conflated. The problem of “what does it mean today” and “what does it mean in a future where nothing has to be manually configured” are different problems, and it’s unreasonable to keep demanding that the second be solved when addressing the first. The root CAs that ship on modern OS distributions *are* blessed with a > special power. Only they can mint certificates which are *automatically* > trusted by most applications on the OS. For certain purposes, according to certain policies. If you don’t like those policies, or you want more purposes, do your own thing. The same modern OS distributions provide that capability for applications to do so, to allow the application vendor to select their trust store, and It Just Works. Can’t find someone who does what you want? That’s not a problem: you can do it yourself. In discussing the second problem, there is absolutely zero reason to use anything existing. None whatsoever. It’s completely unreasonable to be complaining “CA X won’t let me use certificates for this purpose” if you’re not addressing that with CA X. And it’s completely unreasonable to complain that Root stores intended for use case Y cannot be used with use case Z. Hammers make lousy screwdrivers, even if they are both “tools one uses when building furniture” > Want id-kp-eapOverLan? Sure, plenty will happily do that for you, for a > price. Don’t like the price? Run your own CA and issue them yourself. > There’s zero cost, and plenty of open-source tools to make “run your own > CA” be a single line on a command-shell. > > Windows actually *forbids* id-kp-eapOverLAN from being used by the > well-known root CAs: > > > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj200219(v%3Dws.11) > > ... > You must deploy a private CA rather than obtain server certificates from a > third party public CA. In addition, the certificate template that you use > to issue the certificates must contain the RADIUS EKU extension. This > extension is id-kp-eapOverLAN and the object identifier (OID) for this EKU > is 1.3.6.1.5.5.7.3.14. This EKU extension can only be configured on a > private CA and is used by Windows 8 to determine whether a private CA > issued the certificate. > ... > > This use-case would also seem to be outside of the scope envisioned by > RFC 4334, which applies to client certificates. Fantastic! That’s exactly what I’m saying more folks should do for the “current”. That’s a feature, not a bug.
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- [Emu] EAP/EMU recommendations for client cert val… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] EAP/EMU recommendations for client cert… Michael Richardson
- Re: [Emu] EAP/EMU recommendations for client cert… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Joseph Salowey
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Benjamin Kaduk
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Eliot Lear (elear)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Mohit Sethi M
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Owen Friel (ofriel)
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Stephen Farrell
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Salz, Rich
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Russ Housley
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Peter Bowen
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Michael Richardson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… David B. Nelson
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Alan DeKok
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Ryan Sleevi
- Re: [Emu] [lamps] EAP/EMU recommendations for cli… Phillip Hallam-Baker