Re: [Emu] EAP-TLS 1.3 Section 2.2 text

John Mattsson <john.mattsson@ericsson.com> Tue, 08 June 2021 09:25 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B61A3A299D for <emu@ietfa.amsl.com>; Tue, 8 Jun 2021 02:25:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH4y23t-GKtF for <emu@ietfa.amsl.com>; Tue, 8 Jun 2021 02:25:41 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130077.outbound.protection.outlook.com [40.107.13.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D0EA3A299A for <emu@ietf.org>; Tue, 8 Jun 2021 02:25:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EigGHW2pMzfEIXxWHyAKOmhRDTJXnTEQy43ha8vgsUgQhVrAt9+eTuwIRtHp8Ic3aeusKOQOrqiJmNrdUtUDQk4umFwpr7mSKnGN0dIhQhgo0eSKv4jlTgSP1TZmJJOJCWDAMsIOPZQbFn6/x5m/+KIOoNW6ETsGIW96i7/Qg6/7c17y5bRnu6wMWewNXtEo3p0TcNbmr7wx9YINgwd+MOEWP8QVCJIbfw5jLmrp0aLuaL9nLg1kRi/mDa1r7BXp6bB+mA0jZvEUrGSH+WK34emrIbKTVFIqq8dK+yyn0f2iPmjkXy+vYafhtlOyC/iiWr+wt8aCe/mWN81uE2nFKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zi/H1nW0RC5wDQ5WlxQbs1+GWQn5aLDPML2E6vs2zkE=; b=Xo6h89t1Y7+hk3QIaTiOZCwLBWW6w69yLaHI7VydgfPCraLOfW4yiyhN7oAK2kyK+8D6oGIFBR+BKb+eCBTk4vmZOP8wzqs7nzZJ3sRvuVtU7RFVN+6n6YMzh6rteh7kZOMSJOucFYjHcsuKvKTOcSvqKEVgtbRr8UEhJEDZ81t75wsBHH7wD8eFsCI4wTa5t9VsU66kJDxSalaVxaKrs7F1ZsgScuFkTzcDHIfgh8CTy+gHe66GQc/5JGuD9tS27zmAOI5AtXaOiRtmLhhm4fNEPX6YqyqB/O+8S54tC8zzhWJBRmYTrScAOyJ7rXeCaATZ1AO6TwCZOEGQKpaLbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zi/H1nW0RC5wDQ5WlxQbs1+GWQn5aLDPML2E6vs2zkE=; b=NuK+uE7/hZTALVUUacZtdbmnChQQpxt0c21TXFLssamga9Ght7ab+LQ6qXi2Z68A1KEsvM/6gJXVN44NeMI5yXLLXvtNnkXaGT2ViO1qiwaQKbAtORk+/GXyovYy2dD0ZZngWN8lkct9xisQfGTCRBZr5ud1rZ60Dzn9G/s0nXo=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0702MB3545.eurprd07.prod.outlook.com (2603:10a6:7:83::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.12; Tue, 8 Jun 2021 09:25:37 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b071:a4a:817d:2d3%11]) with mapi id 15.20.4219.019; Tue, 8 Jun 2021 09:25:37 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Oleg Pekar <oleg.pekar.2017@gmail.com>, Joseph Salowey <joe@salowey.net>
CC: "stpeter@mozilla.com" <stpeter@mozilla.com>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] EAP-TLS 1.3 Section 2.2 text
Thread-Index: AQHXRTpBb0zQbHXIEEaiXDElS6qeJKrcoLGAgAin0QCAApoggIAAUcyAgAKYn4CAAAXSgIACpXSAgAY+zACACiaXgIAMJuZ9
Date: Tue, 8 Jun 2021 09:25:37 +0000
Message-ID: <HE1PR0701MB3050DB57120155469334586289379@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CAOgPGoBDcbDxGB3_Qy_xXymhnxrfMaOPNP545eMh8XLvU6OX+A@mail.gmail.com> <92D9824F-82C2-440F-807F-7B4799DCF1B6@deployingradius.com> <CAOgPGoAd3CcaqPYd0aYXBDtCmv32T8hpGH+6ysEn7Pi9M+FSiw@mail.gmail.com> <4698EFD4-83B5-4B77-93E8-0E12FE8BC2DD@vigilsec.com> <CABXxEz-Jzfd4_8=bx8DquchkQVj8Hf07m0U8tYWO9-rFtBjqBw@mail.gmail.com> <CABXxEz9th6-JOgHKqEC5W7XQoi3NKUN3_8F3O_14k6nAdwmgRQ@mail.gmail.com> <F6B720FD-CF54-4953-A598-C6713CC10042@deployingradius.com> <CAOgPGoD4hGS4FBaVV4oopEy+0YOeLzUuYD=hGcTrHXcqSQo9AA@mail.gmail.com> <CAOgPGoCVodHuiQAF1Uz6NqNXy_5kjLccrj9=1VYS8yrmoEwytA@mail.gmail.com>, <CABXxEz8kgr+MSoEsiAe=YkjWcMc_dOtUaeP8gMc0yhTDu9Mj4g@mail.gmail.com>
In-Reply-To: <CABXxEz8kgr+MSoEsiAe=YkjWcMc_dOtUaeP8gMc0yhTDu9Mj4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3079b317-fb4c-4d9e-bbe5-08d92a5f6070
x-ms-traffictypediagnostic: HE1PR0702MB3545:
x-microsoft-antispam-prvs: <HE1PR0702MB3545F5D51C7CF5DEA9999A1689379@HE1PR0702MB3545.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: noWKy68dHZBhC3BPcwnj6wfBGB3JFH9oMf0UfvpUbeabj1YSOZIK8H439LVgYDBswJkGNFAi1cshl/iKAP3i6U3p43aQPoUE7W+x20Ot7Co7BESalLgyHytXPPDPrYdeTN5XGesMXP7ioma3EwMiG7Meww5hsUk/sVFwH4Mcv9vYZrWIUhdsD20TokbX1GcNTlwRYgX54CAt8FnVXByqa1C1DPcMG14GS/dsz3E4KHsjOK5epzCTDIPKmsQt6tn/tDo0bFy/LaF7HaOTNnprftWb6uzxmmMChuuG/xRJvwJkCv4sGjqSnKrR+9G/C0xiGgjD5E6vq5QucQ4MR68dkL5avlnuRoGti5v6x4U0Z8TiUB6VpUDPXyFVctSHfSF/5G7JMG+rrHPI0hY3z6ApVPN88A+Sf9i2QyyRe0O1e+YJxXATzfMt1GjnsM9vKpi4xvw3K8Z4e5QNOFLkLhkIMIwlPaQTVkW8w+W/x7yfFbjQdHbkvS6jzoVF8WD5lXD7UM4KeKxZVTjYlfv3/x5pkYqsj67LaQfIdtFbDhJKoYZjenRJmxHrIc01GM2jNMjLcRk6vUUE/MAp0HwayGovlKV8akVGvnd621aGRm35lNtVF1NK9ZR8hGl+K58LT7s5fxtIoBuLx/BP4/tymdebOBIDovdEdndS/7y/PLZ9xZ62QkguWV9MkR0u/RCh4G13RjM7/eXWzCrSeg+zes7rAS9u8ZhuXT+ZvhyMzzilGaY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(376002)(39860400002)(396003)(136003)(66946007)(64756008)(66556008)(83380400001)(66476007)(8936002)(76116006)(9686003)(66446008)(71200400001)(966005)(2906002)(86362001)(166002)(21615005)(478600001)(7696005)(55016002)(8676002)(33656002)(5660300002)(110136005)(26005)(52536014)(186003)(122000001)(44832011)(38100700002)(316002)(4326008)(53546011)(54906003)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?VUMlzT9bL8uVuvdYPeHeAj3Nqcsrml0UuuZl63rFBkyUtw0WOsVe2koAYVp4?= =?us-ascii?Q?hY+i5fhKlvJETB4CESQVXmGEEUqvrPCb71sF1UA5IbTcKZLo2xk4jwFCdI+L?= =?us-ascii?Q?NWNQFS8yg+/sOZ3mWcRuUMO3S2fse5mNix3fBOwjydwjeM6kyth4Ay6IQfAT?= =?us-ascii?Q?SlxMJOTi75lg3dUIwPryFLRdESbh6tZnwBKJrFZ9uN8e5n/CM8AjRAZXuAd4?= =?us-ascii?Q?VsvMcTp6vGJ/wx4YZNbZuDlFdO8f1Y2pNsSNlLBLOuNoyzQYiBpzk4pAHQCG?= =?us-ascii?Q?cTQ7aN2DB9AKXWDWVs5GQ7I9BtfLCHz4x0cgDw3UtkhnX7IatBVnp6l6m5ba?= =?us-ascii?Q?IrlXOPEPHR8VzWf3RZ9UGXfSjFQkGAMYUywBOYqPt1EgH5elrgho2SRTOtej?= =?us-ascii?Q?GfJnE1CqGHzFV6qh23dRJcIYJvwD+MecAh8xlCIGwfh/BYT4MV+yS4BJQfah?= =?us-ascii?Q?PLXTuusMYoKe2YdknAhZljCfEh+grTrzV96Sxw+pmUJksS2vkZPCk7RYORfS?= =?us-ascii?Q?izBp5GoaeE1WcazM6KaQy7y994MaUSNctrCkzG6on3DoxZvSd7n2cQTphed+?= =?us-ascii?Q?j9eovgTaHT4LeHr6Cx+OXFZicJHWSr49r6xMVdqX2jjXBhsfBcuKjnDtlFyu?= =?us-ascii?Q?SqWN3uDiaJGTT5azSYRs7Jg9+8H/rOocoyv1NgkmBgDsQ9Zv4R7GU9HUwBBy?= =?us-ascii?Q?IfLYWyLL3NJ6+BbfJ+PueW1+fxzu8LR4SvUEWujhwjGtz1YEyH2WqVS8wilW?= =?us-ascii?Q?rfTp7Gnml7dpKdM2CgpXgwFLWOU9VizDKnXd1cYfHmkgIVD9R/XEG425X1MA?= =?us-ascii?Q?k5EQYRMntCv8lcryWGWgHOqsWtCowF+Lj8QBTcHqxF5az+HVTgzW/mD9Cyx8?= =?us-ascii?Q?aTaZ9Se1uYpBrGSBe5XOKf2qAo9UKiOCoTidW7gs/gSZYNzTKKncY5uDOcFj?= =?us-ascii?Q?5yYjN3AvNY96K92TZtAddEq5ToeX8/3roOxCl6dtDsR3tgz1q3ldA4Ga4Emx?= =?us-ascii?Q?pGIopPcCM//2SKBEwmKRB/B/xpv7EuVDKc2u6NNW6xJO5PWl1n/DbHo8gGxy?= =?us-ascii?Q?oTC09imfxJ4y9U3Hci9RLCVs1mXHHyGqanpGh9e1876xAbY+U/eo8ZoO4Wuj?= =?us-ascii?Q?5OfXpSVKctwO2UpqP2AFrqG4VUDDbvnC7at250sTGfwfGgBj0IY/m7teGu07?= =?us-ascii?Q?tAyO3Y4eKlV4UJw0ESavDCuls6tL/m6LAUFJ1ZZBwAyEpX5Ve8e5uADyji6P?= =?us-ascii?Q?spARRlm+EqUixGt5Ogunn0biHGhTdd5WnjTHcekjbBmkSYq1kXwBQqJjPhxp?= =?us-ascii?Q?fgqOJUSLpaMRgLn9Afv/41UJ47YGVewHb3qYwTCmFzPpTA=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050DB57120155469334586289379HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3079b317-fb4c-4d9e-bbe5-08d92a5f6070
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 09:25:37.6696 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1mtVwqKQr/gS7VEMmzWpbES0+oAbSuSFYRNI4bcE1TMqSMxwpgH6MIOFmXusqIa2pFK5KKDX01401IZGiyYJcW+7KHyGe1pdF0o2f/MuA7U=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3545
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/tsvAvwbx8JSCbi4aC6uZBgO4ec8>
Subject: Re: [Emu] EAP-TLS 1.3 Section 2.2 text
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 09:25:47 -0000

Hi Oleg,

"If server name matching is not used, then peers may end up trusting
servers for EAP authentication that are not intended to be EAP
servers for the network. If name matching is not used with a public
CA bundle, then effectively any server can obtain a certificate which
will be trusted for EAP authentication by the Peer."

Do you have any concrete suggestions for improvements of this section Oleg?
This second part of the paragraph seems to discuss what happens if the
advice in the first half is not followed. When I conect to Ericsson's
internal WiFi network, I would expect checks that I am taking to the EAP
server, not the printer. I would also expect checks that I talk with
Ericsson EAP server, and not Huawei's or Nokia's EAP server. Should
Network be replaced by a better term?


Some comments from me on Section 2.2

"EAP peers MAY implement a trust on first
use (TOFU) mechanism where the peer trusts and stores the server
certificate during the first connection attempt."

This requires some security consideration, I think....


"Iimplementations MAY rely on system-wide root CA
certificate bundles for authenticating the server certificate.
If server name matching is not used"

This seems to indicate that it is ok to not do any server authentication. The TLS CertificateVerify message does not give any authentication in itself, it only enables the application using TLS to do authentication.

Section 2.2. "Identity Verification" needs to match current deployments and uses of EAP-TLS. But if EAP-TLS does not even mandate server authentication, does it really make sense to mandate revocation?

Cheers,
John


From: Emu <emu-bounces@ietf.org> on behalf of Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Monday, 31 May 2021 at 17:46
To: Joseph Salowey <joe@salowey.net>
Cc: stpeter@mozilla.com <stpeter@mozilla.com>om>, EMU WG <emu@ietf.org>
Subject: Re: [Emu] EAP-TLS 1.3 Section 2.2 text
This version is fine. Just the term "EAP servers for the network" still looks confusing to me. Maybe we can use instead the more detailed explanation that you provided above.

On Tue, May 25, 2021 at 7:45 AM Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote:
I made some changes to the pull request to address some of the comments and make the text clearer:


The EAP peer identity provided in the EAP-Response/Identity is not

   authenticated by EAP-TLS.  Unauthenticated information MUST NOT be

   used for accounting purposes or to give authorization.  The

   authenticator and the EAP-TLS server MAY examine the identity

   presented in EAP-Response/Identity for purposes such as routing and

   EAP method selection.  EAP-TLS servers MAY reject conversations if

   the identity does not match their policy.  Note that this also

   applies to resumption, see Sections 2.1.3, 5.6, and 5.7.



   The EAP server identity in the TLS server certificate is typically a

   fully qualified domain name (FQDN) in the SubjectAltName (SAN)

   extension.  Since EAP-TLS deployments may use more than one EAP

   server, each with a different certificate, EAP peer implementations

   SHOULD allow for the configuration of a unique trusted root (CA

   certificate) to authenticate the server certificate and one or more

   server names to match against the SubjectAltName (SAN) extension in

   the server certificate.  To simplify name matching, an EAP-TLS

   deployment can assign a name to represent an authorized EAP server

   and EAP Server certificates can include this name in the list of SANs

   for each certificate that represents an EAP-TLS server.  If server

   name matching is not used, then peers may end up trusting servers for

   EAP authentication that are not intended to be EAP servers for the

   network.  If name matching is not used with a public root CA, then

   effectively any server can obtain a certificate which will be trusted

   for EAP authentication by the Peer.



   The process of configuring a root CA certificate and a server name is

   non-trivial and therefore automated methods of provisioning are

   RECOMMENDED.  For example, the eduroam federation [RFC7593] provides

   a Configuration Assistant Tool (CAT) to automate the configuration

   process.  In the absence of a trusted root CA certificate (user

   configured or system-wide), EAP peers MAY implement a trust on first

   use (TOFU) mechanism where the peer trusts and stores the server

   certificate during the first connection attempt.  The EAP peer

   ensures that the server presents the same stored certificate on

   subsequent interactions.  Use of a TOFU mechanism does not allow for

   the server certificate to change without out-of-band validation of

   the certificate and is therefore not suitable for many deployments

   including ones where multiple EAP servers are deployed for high

   availability.

On Thu, May 20, 2021 at 10:23 PM Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote:


On Wed, May 19, 2021 at 5:58 AM Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> wrote:
On May 19, 2021, at 8:37 AM, Oleg Pekar <oleg.pekar.2017@gmail.com<mailto:oleg.pekar.2017@gmail.com>> wrote:
> After thinking a bit more about it - for the sake of the client implementation clarity, would it be better if we provide the strict algorithm for server identity check or maybe reference RFC 6125.

  Given the time frame and what we know, I think the existing text is OK.

[Joe] In addition the intent of the text is to make implementers aware of the issues and provide some guidance as to how to solve the problem.  I don't think we can dictate too much more at this point.   We can have follow-on work to have a strict algorithm is depolyers and implementers feel it is necessary.

  This is what wpa_supplicant does in it's implementation, and it seems to work fine.  Apple appears to do the same thing:

https://opensource.apple.com/source/eap8021x/eap8021x-264.30.3/EAP8021X.fproj/EAPTLSUtil.c.auto.html

  Look for "trusted_server_names", which leads to:

https://opensource.apple.com/source/eap8021x/eap8021x-156/EAP8021X.fproj/EAPTLSUtil.c

server_name_matches_server_names()

  Which checks if the name from the cert is an exact match for one of the "trusted_server_names", or contains "*." followed by a suffix which is one of the trusted server names.

  I think it's past the time where this document can ask supplicants to change their behavior.  We know what the supplicants do, it's not wrong, and it seems to work.  So let's document that, and move on.

  Alan DeKok.