Re: [Emu] Best practices for supplicants and authenticators

"Cappalli, Tim (Aruba)" <timc@hpe.com> Mon, 18 November 2019 16:01 UTC

Return-Path: <prvs=022527b33b=timc@hpe.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69C90120A75 for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 08:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpEYYQi4Blqc for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 08:01:40 -0800 (PST)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85C88120A4E for <emu@ietf.org>; Mon, 18 Nov 2019 08:01:40 -0800 (PST)
Received: from pps.filterd (m0134422.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAIFwWgR032508; Mon, 18 Nov 2019 16:01:37 GMT
Received: from g9t5009.houston.hpe.com (g9t5009.houston.hpe.com [15.241.48.73]) by mx0b-002e3701.pphosted.com with ESMTP id 2wbt54a553-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Nov 2019 16:01:36 +0000
Received: from G1W8106.americas.hpqcorp.net (g1w8106.austin.hp.com [16.193.72.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g9t5009.houston.hpe.com (Postfix) with ESMTPS id 02DF758; Mon, 18 Nov 2019 16:01:36 +0000 (UTC)
Received: from G9W8675.americas.hpqcorp.net (16.220.49.22) by G1W8106.americas.hpqcorp.net (16.193.72.61) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 16:01:35 +0000
Received: from G4W10204.americas.hpqcorp.net (2002:10cf:5210::10cf:5210) by G9W8675.americas.hpqcorp.net (2002:10dc:3116::10dc:3116) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 18 Nov 2019 16:01:35 +0000
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (15.241.52.11) by G4W10204.americas.hpqcorp.net (16.207.82.16) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Mon, 18 Nov 2019 16:01:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G8q7p7DvGNqbMEdqHjYgMMqBHN8kBwNKBZrDa5o/z9sQjHJR8dm7FCqWGwvthdB3RVqsr6F6ZOlnTUpCFK+xDVYeAggPczK1JNQ2MdPsc5K7L3Bkc3Pgb1hkEBU08cilGgBCr1L/q632HlOpmjtDoSnhwnIBUGcPM5Wps2ipqNR5rLq2g8KDhKUWJTAqQ/3uwoGeDerYUp7dhCHS3CdjdMWkCwydDAgGmbDnO9DQJp1g9pejebBBZ5SNTO+9WXvoEMt4sz35wsQ/pRnqdk+Yi0ecrx8EEwUmz5c/a4tScTRhqgCZWeI9qDMKIBGOws+OVKibTF5MVltB7AB+8KzuYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VgstlfcoSm/6nUlArfYRVGAsPre8Rw3IkajnwzT7Xrc=; b=HrlwQTVwDAdmgCzTXpHXBBPsKlu+/+U5eaEFB/5xuaic9eGB0KqIKe1QX2yuAPYiTBrdyChndUqO7FF8Tm4/RV0Hjo8kEBz8Vb8MUEzPfIx02Y6ORWjCLNiN9ha7KGtSsNqxJ4qrCpfxZ6lNVRQKE4qqMiNfI/5LFrXZi7Tie444rpJTxmkYy7lICHfdZiNic9MiauD6tzjdOc6oTNXXsZL5JauvFZ9o4Cwn44qSveaLi+SxukXv0QbmaN3oHlVhCbMT640SHcpfCsRw0B9m059n+lHtBEZXK7LMGnbyj+iBNfy9FS2fBlFb7sC6/s4+vOL1A16/7X3Yd8NPXQA50Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB0817.NAMPRD84.PROD.OUTLOOK.COM (10.169.8.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Mon, 18 Nov 2019 16:01:34 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110%11]) with mapi id 15.20.2451.029; Mon, 18 Nov 2019 16:01:34 +0000
From: "Cappalli, Tim (Aruba)" <timc@hpe.com>
To: Alan DeKok <aland@deployingradius.com>
CC: EMU WG <emu@ietf.org>
Thread-Topic: [Emu] Best practices for supplicants and authenticators
Thread-Index: AQHVnhsKV+GRtV0vSkCNpQk4qcIR6KeRC18/gAADwICAAABZa4AAAiqAgAAALDCAAAOygIAAAQVG
Date: Mon, 18 Nov 2019 16:01:34 +0000
Message-ID: <AT5PR8401MB0530AF675322838D27DFDF7FDB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
References: <526166D8-80B9-4356-84D9-52ACD49E004B@deployingradius.com> <AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM> <D3569D77-A2AB-4FEE-BF2A-1AAAFCB9D3D6@deployingradius.com> <AT5PR8401MB05309AD8F339DF5B6BD2E993DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM> <4D4ACE1D-B565-4AB2-87B8-FD8362A0E76F@deployingradius.com> <AT5PR8401MB053007BCE574F9DD75DBF5CDDB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>, <1DCB7146-EAE5-4450-A690-0783F687DF72@deployingradius.com>
In-Reply-To: <1DCB7146-EAE5-4450-A690-0783F687DF72@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:470:88f7:1621:610c:c87:2f84:f471]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 44227aaf-f4f0-4642-ce1d-08d76c4095ca
x-ms-traffictypediagnostic: AT5PR8401MB0817:
x-microsoft-antispam-prvs: <AT5PR8401MB0817E9DCB331BD77211E8B60DB4D0@AT5PR8401MB0817.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(376002)(136003)(346002)(366004)(199004)(189003)(6246003)(86362001)(8676002)(6916009)(478600001)(6306002)(54896002)(9686003)(2906002)(81166006)(81156014)(7696005)(8936002)(33656002)(64756008)(256004)(486006)(25786009)(11346002)(476003)(66946007)(66556008)(66476007)(66446008)(91956017)(446003)(52536014)(76116006)(229853002)(6116002)(53546011)(76176011)(102836004)(14444005)(46003)(6506007)(55016002)(6436002)(7736002)(186003)(74316002)(99286004)(316002)(5660300002)(4326008)(14454004)(71200400001)(71190400001); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB0817; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HcEnT928ARqZ8SETRdwWmbhTneojMRKD4bbBfImndgEn3eMsUMvkKr0tdrvd4vS2zmpDNE+faWL+3hls+7y0zMNd+H9RQXsY4cNWA7UxNIRuMb8TPPKCsi9cvdb++AIQwO7W027foTL8IPnWFg6YbIujdinImD1EoLOym3+4cM3bpUiBuawH61CHQhzdluV8iyUvUL42PL9muj4rBcwKAjfn/SZ+SzdTwSp6AEfPLwvcbfHjRFGDZ6apcmD4qBDSI4u6o1CiWyumS8ErU2W6A6/MVlaACk1ojXTmjS6YXl6R7Hqjhw/AXIwUSv1fq3ZwXt/Y17bbEvM7D7VFf2Jh/WR1ZphyrW+QmqZ6b78sPS+y50QwB6H7FsgumKPAsIyoj4OC97Z8LDbpJLxHLXTfRl0o6mzOQCZ7vcQHu+mF1zxGebOVw7tO8Jsx6FgSFqL6
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AT5PR8401MB0530AF675322838D27DFDF7FDB4D0AT5PR8401MB0530_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 44227aaf-f4f0-4642-ce1d-08d76c4095ca
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 16:01:34.2297 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UevkjdBjCd4thoKiHuRNiLHvgCw9TX3Li8v4B1lpGg8J86jBGu/ebgGwXVD1zCw3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB0817
X-OriginatorOrg: hpe.com
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-18_04:2019-11-15,2019-11-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 phishscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 mlxscore=0 impostorscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911180146
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/vXAaT3UO3uER652ZMq_BQ9oFilg>
Subject: Re: [Emu] Best practices for supplicants and authenticators
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 16:01:46 -0000

So you’re saying an NAIRealm must be a publicly registered domain name? I agree, but just want to be crystal clear.

tim

From: Alan DeKok <aland@deployingradius.com>
Date: Monday, November 18, 2019 at 10:57 AM
To: Cappalli, Tim (Aruba) <timc@hpe.com>
Cc: EMU WG <emu@ietf.org>
Subject: Re: [Emu] Best practices for supplicants and authenticators


> On Nov 18, 2019, at 10:47 AM, Cappalli, Tim (Aruba) <timc@hpe.com> wrote:
>
> Alan – Adding yet another OID and/or EKU to a certificate does not change the fact that no authority can attest to that information. A public CA cannot validate a ownership of an NAIRealm.

  That's not true.

  Public CAs validate ownership of domain names. The NAIRealm is a domain name.  And, the NAIRealm is the *same* as the domain name in the certificate.  Which the CA validated.

  Unless you have a counter-argument, that discussion should be closed.

> So while a supplicant could be configured to validate that the server’s NAIRealm matches the local configuration, that doesn’t change the requirement to manually configure the supplicant.

  I explained how it could simplify the supplicants configuration.

> So what are we actually trying to improve here?

  See my previous messages for explanations.

  Alan DeKok.