Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
Dan Harkins <dharkins@lounge.org> Wed, 20 November 2019 14:58 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5671200F8 for <emu@ietfa.amsl.com>; Wed, 20 Nov 2019 06:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gFUrBPnByKSG for <emu@ietfa.amsl.com>; Wed, 20 Nov 2019 06:58:28 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69185120868 for <emu@ietf.org>; Wed, 20 Nov 2019 06:58:28 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-93-158-174.san.res.rr.com [76.93.158.174]) by wwwlocal.goatley.com (PMDF V6.8-0 #1001) with ESMTP id <0Q1900NK4W9FNB@wwwlocal.goatley.com> for emu@ietf.org; Wed, 20 Nov 2019 08:58:27 -0600 (CST)
Received: from dhcp-9ca5.meeting.ietf.org ([31.133.156.165]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0Q1900CF6W4PIU@trixy.bergandi.net> for emu@ietf.org; Wed, 20 Nov 2019 06:55:39 -0800 (PST)
Received: from dhcp-9ca5.meeting.ietf.org ([31.133.156.165] EXTERNAL) (EHLO dhcp-9ca5.meeting.ietf.org) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 20 Nov 2019 06:55:39 -0800
Date: Wed, 20 Nov 2019 06:58:23 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <F874EEFC-EEB4-4588-B92B-835D52A8057B@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: emu@ietf.org
Message-id: <20c3dea6-d0e9-3b0c-c6dc-e3ae54e8a067@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=31.133.156.165)
X-PMAS-External-Auth: dhcp-9ca5.meeting.ietf.org [31.133.156.165] (EHLO dhcp-9ca5.meeting.ietf.org)
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com> <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com> <AT5PR8401MB05309002D11E8AEF1018D250DB770@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM> <9907D136-C262-48BC-8630-0EABC0EB97F5@deployingradius.com> <c54e1c65-8600-9b36-5b97-7c1425a82fc3@lounge.org> <CB7B2197-7984-4EB0-95CB-1BDCD701E3DE@deployingradius.com> <339ba466-d24c-6950-3271-68dc71cfcba8@lounge.org> <822C82FA-4AF5-4BAF-8A19-40CE0E57B391@deployingradius.com> <13edb98a-36d8-d616-77dd-75d16ab6ff58@lounge.org> <F874EEFC-EEB4-4588-B92B-835D52A8057B@deployingradius.com>
X-PMAS-Software: PreciseMail V3.3 [191118] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/vedE5_0cn5LALU8CjE4hJnL-ycA>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 14:58:33 -0000
On 11/20/19 4:11 AM, Alan DeKok wrote: > On Nov 20, 2019, at 5:23 AM, Dan Harkins <dharkins@lounge.org> wrote: >> I am asking for >> ambiguous data to be certified and placed in my certificate for my own use? If this attribute >> is in a certificate I receive then what does it mean to "select the correct certificate for >> authentication in a particular WLAN"? > The text explains this in detail. I'll summarize. > > The use-case of the document is that an individual is issued a client certificate. That certificate contains an OID about the expected use-case (EAPoL), and also a list of SSIDs used to perform EAP. When a client system is confronted with a set of SSIDs, it can cross-correlate the SSIDs it sees with SSIDs in it's certificate store. The client system can then select an appropriate authentication method (EAP versus WPA-PSK), and also a client certificate to use. Since it's selected a client cert, it can also verify the certificate chain back to the root. So you asked for imprecise, ambiguous, and unverified information to be put in your own certificate for you to use later. Just because something is in an RFC doesn't make it right. And appeal to RFC is another form of appeal to authority fallacy. Oh, and what's the point of verifying the chain of your own certificate prior to connecting to a network? Do you do OCSP responses to see if your certificate has been revoked? > I would *also* argue that this information can be placed in a server certificate, for situations when client certificates are not being used. As discussed extensively previously on this list, a client can connect to an SSID, obtain the server cert, and then verify: Yea, and that's why I gave you the list of actions a client takes and asked you to point out where in the list this happens. You deleted the list. > a) the server cert is intended for EAPoL (and is not just a cert taken from a web server) > b) the SSIDs in the cert match the SSID used to authenticate > c) the NAIRealm in the cert matches a user identifier stored in the client system > > In which case the client has *more* information than what is available to it today, and can thus make better decisions about whether or not to accept the cert. If the information is ambiguous and unverified why would you use it in a decision to accept a certificate or not? >> This attribute seems useless to me and its ambiguity and therefore unverifiability is a >> large reason why. > I would suggest not using it for your own purposes then. I would also suggest allowing *others* to use it, if they find it useful. I'm not proposing to prevent you from doing anything. I'm asking what's the point and why. You didn't really provide one. And good luck getting a public CA to put ambiguous and unverifiable information in a certificate for you. Dan.
- [Emu] Idea: New X509 Extension for securing EAP-T… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok