IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

Dan Harkins <dharkins@lounge.org> Wed, 20 November 2019 14:58 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5671200F8 for <emu@ietfa.amsl.com>; Wed, 20 Nov 2019 06:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gFUrBPnByKSG for <emu@ietfa.amsl.com>; Wed, 20 Nov 2019 06:58:28 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69185120868 for <emu@ietf.org>; Wed, 20 Nov 2019 06:58:28 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-93-158-174.san.res.rr.com [76.93.158.174]) by wwwlocal.goatley.com (PMDF V6.8-0 #1001) with ESMTP id <0Q1900NK4W9FNB@wwwlocal.goatley.com> for emu@ietf.org; Wed, 20 Nov 2019 08:58:27 -0600 (CST)
Received: from dhcp-9ca5.meeting.ietf.org ([31.133.156.165]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0Q1900CF6W4PIU@trixy.bergandi.net> for emu@ietf.org; Wed, 20 Nov 2019 06:55:39 -0800 (PST)
Received: from dhcp-9ca5.meeting.ietf.org ([31.133.156.165] EXTERNAL) (EHLO dhcp-9ca5.meeting.ietf.org) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 20 Nov 2019 06:55:39 -0800
Date: Wed, 20 Nov 2019 06:58:23 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <F874EEFC-EEB4-4588-B92B-835D52A8057B@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: emu@ietf.org
Message-id: <20c3dea6-d0e9-3b0c-c6dc-e3ae54e8a067@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=31.133.156.165)
X-PMAS-External-Auth: dhcp-9ca5.meeting.ietf.org [31.133.156.165] (EHLO dhcp-9ca5.meeting.ietf.org)
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com> <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com> <AT5PR8401MB05309002D11E8AEF1018D250DB770@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM> <9907D136-C262-48BC-8630-0EABC0EB97F5@deployingradius.com> <c54e1c65-8600-9b36-5b97-7c1425a82fc3@lounge.org> <CB7B2197-7984-4EB0-95CB-1BDCD701E3DE@deployingradius.com> <339ba466-d24c-6950-3271-68dc71cfcba8@lounge.org> <822C82FA-4AF5-4BAF-8A19-40CE0E57B391@deployingradius.com> <13edb98a-36d8-d616-77dd-75d16ab6ff58@lounge.org> <F874EEFC-EEB4-4588-B92B-835D52A8057B@deployingradius.com>
X-PMAS-Software: PreciseMail V3.3 [191118] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/vedE5_0cn5LALU8CjE4hJnL-ycA>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 14:58:33 -0000


On 11/20/19 4:11 AM, Alan DeKok wrote:
> On Nov 20, 2019, at 5:23 AM, Dan Harkins <dharkins@lounge.org> wrote:
>> I am asking for
>> ambiguous data to be certified and placed in my certificate for my own use? If this attribute
>> is in a certificate I receive then what does it mean to "select the correct certificate for
>> authentication in a particular WLAN"?
>    The text explains this in detail.  I'll summarize.
>
>    The use-case of the document is that an individual is issued a client certificate.  That certificate contains an OID about the expected use-case (EAPoL), and also a list of SSIDs used to perform EAP.  When a client system is confronted with a set of SSIDs, it can cross-correlate the SSIDs it sees with SSIDs in it's certificate store.  The client system can then select an appropriate authentication method (EAP versus WPA-PSK), and also a client certificate to use.  Since it's selected a client cert, it can also verify the certificate chain back to the root.

   So you asked for imprecise, ambiguous, and unverified information to 
be put
in your own certificate for you to use later. Just because something is 
in an
RFC doesn't make it right. And appeal to RFC is another form of appeal to
authority fallacy.

   Oh, and what's the point of verifying the chain of your own 
certificate prior
to connecting to a network? Do you do OCSP responses to see if your 
certificate
has been revoked?

>    I would *also* argue that this information can be placed in a server certificate, for situations when client certificates are not being used.  As discussed extensively previously on this list, a client can connect to an SSID, obtain the server cert, and then verify:

   Yea, and that's why I gave you the list of actions a client takes and 
asked
you to point out where in the list this happens. You deleted the list.

> a) the server cert is intended for EAPoL (and is not just a cert taken from a web server)
> b) the SSIDs in the cert match the SSID used to authenticate
> c) the NAIRealm in the cert matches a user identifier stored in the client system
>
>    In which case the client has *more* information than what is available to it today, and can thus make better decisions about whether or not to accept the cert.

   If the information is ambiguous and unverified why would you use it 
in a decision
to accept a certificate or not?

>>    This attribute seems useless to me and its ambiguity and therefore unverifiability is a
>> large reason why.
>    I would suggest not using it for your own purposes then.  I would also suggest allowing *others* to use it, if they find it useful.

   I'm not proposing to prevent you from doing anything. I'm asking 
what's the point
and why. You didn't really provide one. And good luck getting a public 
CA to put
ambiguous and unverifiable information in a certificate for you.

   Dan.

v2.23.0 | Report a Bug | By Email