IETF Logo Mail Archive

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

"Eliot Lear (elear)" <elear@cisco.com> Wed, 08 January 2020 11:29 UTC

Return-Path: <elear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A8921200A4; Wed, 8 Jan 2020 03:29:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=giInwTmx; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=PCrKsM4A
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RojRRqBUdBii; Wed, 8 Jan 2020 03:29:51 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51061120018; Wed, 8 Jan 2020 03:29:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8745; q=dns/txt; s=iport; t=1578482991; x=1579692591; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=vozHpV6buMrHkSU1kz58rzGw5MaQGyouVpPE5sfqc34=; b=giInwTmx0GrFDr97qnJCYSfa5PYXvrHQYQyswIC7ssxHS5IpFOwwpuXJ ozSwSOx/UmbGctsvdO33A/SUwCrAPguGjZePAkqg4yVG7Pz0CPIh3WymL n2EIN8df19BF0rp6zGpj8dIOXpKsTbz7+AgTpbfox6jDPS/X548D9RFRu c=;
IronPort-PHdr: 9a23:hjvwgRVxmhRdWqn9EdTDNLZ8Tq3V8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSANWJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtank3GMlLTndu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CdBQB/vBVe/5pdJa1dCRwBAQEBAQcBAREBBAQBAYF8gSUvUAWBRCAECyqECYNGA4sGlgqEYoJSA1QJAQEBDAEBLQIBAYRAAheBUiQ4EwIDDQEBBAEBAQIBBQRthTcMhV8CAQMSER0BATcBDwIBCD8DAgICMBQRAgQOBSKDAIF6TQMuAaEbAoE4iGF1gTKCfgEBBYURGIIMCYE2jBkagUE/gREnIIJMPoQfA4M3MoIskEaFV5kOCoI2liEbmmGCDIQQox8CBAIEBQIOAQEFgWkigVhwFWUBgkFQGA2NEgwXg1CKU3SBKI0MAiYHghQBAQ
X-IronPort-AV: E=Sophos;i="5.69,409,1571702400"; d="scan'208,217";a="407085825"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Jan 2020 11:29:50 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 008BToGH004672 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 8 Jan 2020 11:29:50 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 8 Jan 2020 05:29:49 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 8 Jan 2020 05:29:49 -0600
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 8 Jan 2020 05:29:49 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=II7njge986m/mJjfepEA7ERjq6RPoBmLfH6t62ANUx9zFmLJC0YAkWniMbeRVLjzo6lXed8gt0lyDz9V7bhLmrc66dP4KIe2YRKNr1R4PkhbcGN2WmtcKCvvU1pSLfWO4+vhRnIApf9oFR/QOvclB3UL9+3GlXwg/l3QRoQIK3H8vHuFw7XtIwOmPLsrqErhIyXadm08NYYE0BpM3cgdXKQTzbVDng8m1itc7AJMJFbTIZ9Z/7urs3CJcY/c5j/Z4IexZsd5Wn4Tuyn0JOfjhFiWcwoydVNWfU1bMJYw9RMrMuHFdHgVCq/Q6PXbuh5jIVQObsf5gDEysxLjMCb1pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vozHpV6buMrHkSU1kz58rzGw5MaQGyouVpPE5sfqc34=; b=hxBTmcwYevvf2LdzyQyxbNHjYN+ogMmDjWjDJhQj1ZxPuYCtE6b6KZjDlzcUY6AtkxryOgeqxMY0Oyu44jQrk1R+mnK5exHsVksNOdVWe2AbxVOsRaWWSuseZF0hhv0mlVTZk5yKKTwQzjomEGc1ig31hxje3gqJ28NDpvKTiCIk3XPCQQhOWZ2xeR2aYCjpcipeIQA2iKn81F6V/k73RRM9KfjKfZnR8BKNkVkBkJjhvJ1U7pk9Ram8vptxCtw3lwiBafXvqAVR8lcTX6Rh5l2TNgbepw7fjGJq2APjtVx2rwbjyhc8oWnq3DWIqK6EyjpY+UtZfqGC/+HhgCu3og==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vozHpV6buMrHkSU1kz58rzGw5MaQGyouVpPE5sfqc34=; b=PCrKsM4AvVdQ/lJ92tt/dWkTLzN101fLqFidgaziSTeFo5BSMBmp4A7wx4XSEz1HgqN1o09CmaFir+S7TVfQVYfkU/NgOYoZOuqAbc3lynybQo2meRcCM23FZux+UdZ5SQfosVJicn6huFRoofmxpSq+TrK9y9RAiH8vp2WelnE=
Received: from DM6PR11MB3995.namprd11.prod.outlook.com (10.255.61.204) by DM6PR11MB3212.namprd11.prod.outlook.com (20.176.120.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2602.15; Wed, 8 Jan 2020 11:29:48 +0000
Received: from DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5]) by DM6PR11MB3995.namprd11.prod.outlook.com ([fe80::594a:23a:5e3:34e5%7]) with mapi id 15.20.2623.008; Wed, 8 Jan 2020 11:29:48 +0000
From: "Eliot Lear (elear)" <elear@cisco.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Alan DeKok <aland@deployingradius.com>, EMU WG <emu@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
Thread-Index: AdWxNKzqTmo8NKHtQwSIp+NEgFXHNACbMPUABHRvF7QAAZ7ogAABuFUAAAClZwAAAxLIAAACFEUAAAKfAIAACUx2AAAM8UWAAAPQxgAAAwMigAAAHASA
Date: Wed, 08 Jan 2020 11:29:48 +0000
Message-ID: <0BE0A0F3-AC37-426E-B322-05DF59594069@cisco.com>
References: <MN2PR11MB3901F9B86DAC83AF67FBA49DDB560@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HEzR4U9L2Bbj65hSKo4=GEHv=NVGkySFpdCaK2NoJBmFQ@mail.gmail.com> <MN2PR11MB39013D4C54FEACDC8228D136DB3F0@MN2PR11MB3901.namprd11.prod.outlook.com> <CAErg=HG=ZTbzfSr8oQMWgzFNqmdPkUNttLQDprGo5F6LXv9T5Q@mail.gmail.com> <B823CF84-4F78-4B91-BC68-E173FA78C28D@deployingradius.com> <CAErg=HEAtGiJKpLamdUaHicU2Psu7_0RrwsrwiQpb-uHOZ2p2Q@mail.gmail.com> <B2989B0E-8B6B-4B7A-B871-AF520310B3FC@deployingradius.com> <CAErg=HG06ZpiRUYogiVwoJPsZDsjzAVvO0B4=K=PE7aAHe44rA@mail.gmail.com> <6CEB4C89-B749-4A65-A25A-A12830ED8A62@deployingradius.com> <CAErg=HFPCYKgUEXHaOC0sQECYaVmt0TZXe-uDrKzFiNSAcdckg@mail.gmail.com> <00453E78-D991-4B4D-A138-5788FACC47C2@deployingradius.com> <CAErg=HFYQpfqTE9==TzGo795ZiuNBGVMqWuXS6GJ2DV0nGxPzA@mail.gmail.com> <5F6DD581-21D6-4304-824E-4846CA3BC335@cisco.com> <CAErg=HHcXU6MrzBZAY8y7tDhxY=K6q2tJJ3xXGfV_JxjRy29Kg@mail.gmail.com>
In-Reply-To: <CAErg=HHcXU6MrzBZAY8y7tDhxY=K6q2tJJ3xXGfV_JxjRy29Kg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=elear@cisco.com;
x-originating-ip: [2001:420:c0c0:1006::184]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ffea22bc-5a0d-4599-d88f-08d7942e1201
x-ms-traffictypediagnostic: DM6PR11MB3212:
x-microsoft-antispam-prvs: <DM6PR11MB3212763A7CF07CBAB9561B46BF3E0@DM6PR11MB3212.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(136003)(346002)(396003)(366004)(52314003)(189003)(199004)(316002)(53546011)(8676002)(186003)(2616005)(4326008)(54906003)(66946007)(66446008)(66476007)(91956017)(66556008)(64756008)(76116006)(6512007)(6916009)(71200400001)(8936002)(2906002)(33656002)(6486002)(81166006)(478600001)(5660300002)(6506007)(86362001)(81156014)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3212; H:DM6PR11MB3995.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rO5Jc34XbiRHehOKVxinuu4pEDd+LvmYtLyp4P3vs1lkvRMVdoW0+dxcO5cVOA4cO4oRrofNCnhkZEHoJWcOSdQWaz2afuVX4o+Z2AOrAEWOIPlrKtRev5hXeei6OQSz45O+Al2QoWCWkNy3W+6Uxg0vY9tUUle/xI1zJaqX9pxMrXjUt2bIYxvD6IkcOeWDMCVleCiWQBRArF97Nj9c5a+Ze7pvjxaqK9XzLEAOw6ZfXM7h1NkPmgpazIfO4OjEZJxFf+W1F7UgG3o2Hrz1Szs/W5PGmCm+0aSXa098N6PiQE4JvrzwuVdRQr2bP+IdvFpHAp9TdgYpPoIeuQ6aSMD7TdAjjuZ+4JF5iUJ+tD1hSnKj4xeoyJyy6VhkVSB1NoYqKDzGhZvLo7A9Q2Nsb08bqcevj7ASrjeFi88OpCiNXGLvlssPK0zjMvmBp6Fy92tTvoyIgCQ9DGGvjRaR5nZBLvIwKcjC1abfQpug2bQdW3IAK3bNjU/GhoeZiFZd
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0BE0A0F3AC37426EB32205DF59594069ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ffea22bc-5a0d-4599-d88f-08d7942e1201
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2020 11:29:48.6282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ym9GoDW684zmYKdgyJG+H7P+2mEaKNuUPcBhPfMxAoX1XZsWYSdFmcuX0alHQAsV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3212
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/tjLBO11OQlIs22JJDGtr97-E1HI>
Subject: Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 11:29:53 -0000

Thanks, Ryan.  After I sent the note I thought about document signing.  Our SUDI model at Cisco I view as somewhat different, but may be closer to apt to EAP anyway, so worth discussing.

Eliot

On 8 Jan 2020, at 12:26, Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>> wrote:



On Wed, Jan 8, 2020 at 5:00 AM Eliot Lear (elear) <elear@cisco.com<mailto:elear@cisco.com>> wrote:
Hi Ryan,

This topic seems like a good one to just get on the phone and sort through, but I have one question:

On 8 Jan 2020, at 09:11, Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>> wrote:

However, if using the same set or CAs that popular OSes use for TLS, it does mean that these CAs, and their customers, will still be subject to the same agility requirements, and limited to the same profile as TLS. Because of this, there’s ample reason to split further into the dedicated hierarchy and dedicated EKU.

Is there an example of a non-EAP use where splitting into a new hierarchy has actually succeeded?

Document signing generally fits there, in that there are a number of CAs that only offer document signing/identity proofing without overlapping. As would, say, Cisco’s device/firmware signing model or the PKIs in use in the financial services/ATM markets.

Relevant to EAP would be the aforementioned Passpoint model, which uses new and distinct CAs for that. There are definitely flaws with that (e.g. wanting said CAs to work with browsers), but there are parts of it that do work.

There’s no technical reason to require the use of the same roots/same hierarchy, and ample and adequate reason to distinguish: both from the perspective of a root store maintainer (ensuring certificates comply with policies) and as a certificate consumer (minimizing risk of misissuance, ala Flame)

v2.23.0 | Report a Bug | By Email