Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
"Cappalli, Tim (Aruba)" <timc@hpe.com> Tue, 12 November 2019 20:13 UTC
Return-Path: <prvs=02193b47f3=timc@hpe.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60F4120842 for <emu@ietfa.amsl.com>; Tue, 12 Nov 2019 12:13:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAlkTKMya9dd for <emu@ietfa.amsl.com>; Tue, 12 Nov 2019 12:13:35 -0800 (PST)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8474E120839 for <emu@ietf.org>; Tue, 12 Nov 2019 12:13:35 -0800 (PST)
Received: from pps.filterd (m0150245.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xACKBixe028844; Tue, 12 Nov 2019 20:13:29 GMT
Received: from g9t5008.houston.hpe.com (g9t5008.houston.hpe.com [15.241.48.72]) by mx0b-002e3701.pphosted.com with ESMTP id 2w7u7b40ja-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Nov 2019 20:13:29 +0000
Received: from G2W6311.americas.hpqcorp.net (g2w6311.austin.hp.com [16.197.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g9t5008.houston.hpe.com (Postfix) with ESMTPS id 60F2082; Tue, 12 Nov 2019 20:13:27 +0000 (UTC)
Received: from G9W8674.americas.hpqcorp.net (16.220.49.0) by G2W6311.americas.hpqcorp.net (16.197.64.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 12 Nov 2019 20:13:25 +0000
Received: from G4W10204.americas.hpqcorp.net (2002:10cf:5210::10cf:5210) by G9W8674.americas.hpqcorp.net (2002:10dc:3100::10dc:3100) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 12 Nov 2019 20:13:25 +0000
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (15.241.52.11) by G4W10204.americas.hpqcorp.net (16.207.82.16) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Tue, 12 Nov 2019 20:13:25 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jVCg1s3dd7sbNyn4P4uxx3fLyuQV0rWR5DGq/p6OTMvG6Mp/0HOrf8vuCrcVX2/yHHa54UTDYbX4E/g4jdkFUYBlczzayYI4yc1aSxk4txlrJLJWETpJwg4IFnlXd4423XYElrnrLtFfom/1wjJ21y/n5u2/XbGkf3FwdXFoY9lAlOfIA23MUFHApbjU4UwqMGuoEHpnTkyDH7Jt/3c8feam33Bgk5/Fd4t7ia3BDq+Lbydq4wsd5x4/emfAUbsuUH/US+XX/wFIde4FeajkVVmc20PaDz5sUhUew5Smk/WOtaVDenbhGdA4lM5qe5YX9bwgtFn+x/GQHM7VlZT6OQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5sebgZ1P0bRmKk/9vB3DT1DGohcVhEu0BqT5jlBs/N0=; b=ShkTbjffqrGyJCkzE0b+BHR5ihgMjJ71bg4MOyoCQqOQsxpgEip6mIlrF9ZMr7V6xa8migcdQDeFmujHSZpw/bSK1nBznUnCPtI4sG55ZoNrwrcyUqUn5og4tFGOWXkJ6e8mCLkadzgR7A/17g6cMNkoFSYiEvAOsqGtlMkGvvQUzIRh6+WO/RTnPxJWaqvayBrkFTljy2Kp+yPP7ajArdCSx2fKPdb2QbG7F8ABypITteQtPcLG8T8aSfzYElwMWf4SLYgiDSihKA36LabtekBLLoSveQdTAxS/hqzQvZwo36V5QnXL8S1Ccok7Lm9dyY2bLALWHEBepAzA0inZ5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB1265.NAMPRD84.PROD.OUTLOOK.COM (10.169.7.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.24; Tue, 12 Nov 2019 20:13:24 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::81ab:37ac:b862:a110%11]) with mapi id 15.20.2451.023; Tue, 12 Nov 2019 20:13:24 +0000
From: "Cappalli, Tim (Aruba)" <timc@hpe.com>
To: Alan DeKok <aland@deployingradius.com>, Russ Housley <housley@vigilsec.com>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Idea: New X509 Extension for securing EAP-TLS
Thread-Index: AQHVlyPZhfnuWeQf7E22nSLDCx/SnqeDIL2AgAAfaoCAAVXogIAAcBGAgAC0JoCAAONLAIAAkMYAgACT34CAADkvgIAAAW7i
Date: Tue, 12 Nov 2019 20:13:24 +0000
Message-ID: <AT5PR8401MB05309002D11E8AEF1018D250DB770@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <46C8D8C4-7317-47F3-8F9B-6C56F7B7FEE9@vigilsec.com>, <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com>
In-Reply-To: <F45360DB-D474-4600-BEFD-3C844FA4CB0A@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:470:88f7:1621:206b:d022:5ea0:bf0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9dcd4cb5-96ad-4dba-b7bb-08d767acc57e
x-ms-traffictypediagnostic: AT5PR8401MB1265:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <AT5PR8401MB1265ED0CB027844AE0530551DB770@AT5PR8401MB1265.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:1227;
x-forefront-prvs: 021975AE46
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(39860400002)(366004)(136003)(199004)(189003)(76116006)(102836004)(64756008)(6246003)(66556008)(99286004)(55016002)(66946007)(6306002)(66476007)(9686003)(4326008)(110136005)(6506007)(316002)(53546011)(66446008)(236005)(186003)(54896002)(52536014)(256004)(5660300002)(6436002)(71200400001)(71190400001)(478600001)(45080400002)(6116002)(8936002)(25786009)(74316002)(7736002)(14454004)(76176011)(46003)(2906002)(229853002)(7696005)(476003)(446003)(33656002)(11346002)(486006)(81166006)(81156014)(8676002)(86362001)(606006)(966005); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB1265; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cdAeNdVrnRHjLZDqVIAPjxAcI/1uqwWzFV58kZ58EOPmHJR1JWrmxkrAwvwOqSmYk9FqqvTx7lBk/kS8NfDNM7+fHwisLWMIehRDNdx7jJpwCfhPOnOb6FZ6zn6H7PI7eAHQGGr5m/i36GZ8J6qFcSmu9Q30PGWaSqPly9s+bPEk/CQvecSWtoqt21tl/B7VDnyreCtDwVDc9EzjDqq9Ez05Chgze2Rq2A8Pv1KBcTegu4pV4i83Uc6xPdhsoroIQyP31Vu8Qcb/X27aCYrGs0WS06WJuP5Yf+C+IrVqGZ0rQ8jbvSTqhhjpNaJeRrCcoKvO61NlKsOEAD0dx9SSfSj1N9LB3Y3if4w7hdXTKDHiOjwITBWYwMay9XZ2LkzeL38+jmsPULrCner8NzPdqZOXR9Mtf0mR/j/aqCJgqp/BJHcC6wyB+TCI+I1ygWtoDaHXxvlLcO27n55rrogzJZjL4fhWEjXqhlwYkD8wBLU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AT5PR8401MB05309002D11E8AEF1018D250DB770AT5PR8401MB0530_"
X-MS-Exchange-CrossTenant-Network-Message-Id: 9dcd4cb5-96ad-4dba-b7bb-08d767acc57e
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2019 20:13:24.0676 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8bex4Qw+fXu29MK4Gq/xvzdrdNX0pUwG4SCpJec/ObyX2j6WhRrQwrHlAqtSMlKx
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB1265
X-OriginatorOrg: hpe.com
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-12_07:2019-11-11,2019-11-12 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 impostorscore=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 malwarescore=0 suspectscore=0 phishscore=0 adultscore=0 mlxscore=0 mlxlogscore=958 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911120171
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/yGyI_kkSbXKSY_nvMdr-hkq6o4k>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 20:13:38 -0000
How does a public CA prove ownership of an SSID? From: Emu <emu-bounces@ietf.org> Date: Tuesday, November 12, 2019 at 3:08 PM To: Russ Housley <housley@vigilsec.com> Cc: emu@ietf.org <emu@ietf.org> Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS On Nov 12, 2019, at 11:43 AM, Russ Housley <housley@vigilsec.com> wrote: > > Can the extended key usage for EAP over a LAN ( id-kp-eapOverLAN ) solve this for you? It is defined in RFC 4334. A certificate for Web PKI should not include this extended key usage. > > RFC 4334 also offers a certificate extension that lists the SSIDs that are associated with the server. That does sound relevant. I wasn't even aware of that document. While RFC 4334 offers the id-kp-eapOverLAN OID, I'm not aware of anyone using it. Even Microsoft supplicants still require the TLS web server auth OID (1.3.6.1.5.5.7.3.1). So yes, RFC 4334 is absolutely relevant here. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
- [Emu] Idea: New X509 Extension for securing EAP-T… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Russ Housley
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Cappalli, Tim (Aruba)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Jan-Frederik Rieckers
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Michael Richardson
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Owen Friel (ofriel)
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok
- Re: [Emu] Idea: New X509 Extension for securing E… Dan Harkins
- Re: [Emu] Idea: New X509 Extension for securing E… Alan DeKok