Re: [Emu] Best practices for supplicants and authenticators
Alan DeKok <aland@deployingradius.com> Mon, 18 November 2019 15:34 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985271209A6 for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:34:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaNakniQLOqd for <emu@ietfa.amsl.com>; Mon, 18 Nov 2019 07:34:43 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 360E312098F for <emu@ietf.org>; Mon, 18 Nov 2019 07:34:33 -0800 (PST)
Received: from [192.168.46.58] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id E087C1301; Mon, 18 Nov 2019 15:34:30 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
Date: Mon, 18 Nov 2019 10:34:29 -0500
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D3569D77-A2AB-4FEE-BF2A-1AAAFCB9D3D6@deployingradius.com>
References: <526166D8-80B9-4356-84D9-52ACD49E004B@deployingradius.com> <AT5PR8401MB0530EEE33628E2DB3098C1E6DB4D0@AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM>
To: "Cappalli, Tim (Aruba)" <timc@hpe.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/zY0Ph-GJfeCZORmzq0rAEg3gwm4>
Subject: Re: [Emu] Best practices for supplicants and authenticators
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 15:34:48 -0000
> On Nov 18, 2019, at 10:22 AM, Cappalli, Tim (Aruba) <timc@hpe.com> wrote: > > So again, if NAIRealm is not bound to an organization’s public domain name, I never suggested that or implied it. I'm not sure why it's relevant. > how does a public CA prove ownership of an NAIRealm? How is this different than ESSID? I had hoped that my point was clear. The requirement would be for the NAIReam to be in the same domain as rest of the certificate. Anything else makes zero sense. i.e. if the certificate is from "example.org", then the NAIRealm should be "example.org", or any other name within that domain. Such as "radius.example.org" > I don’t see how this improves assurance of a server identity. No one proposed the position you're opposing, so the conclusion above is irrelevant. On the other hand, if the requirement is that the NAIRealm be the domain name, then it makes perfect sense, and it's useful. We can't use existing fields to derive the NAIRealm. The common name is typically an email address and *not* a domain name. The various DNS fields are DNS host names (FQDNs), and not domain names. We can *suggest* that supplicants can check these fields. But it involves parsing them, and deriving *implicit* meaning from them. In contrast, an NAIRealm field is *explicit* meaning, that doesn't require additional derivation. I think that explicit statements of intent are useful. I don't see why there's any controversy about this. Alan DeKok.
- [Emu] Best practices for supplicants and authenti… Alan DeKok
- Re: [Emu] Best practices for supplicants and auth… Cappalli, Tim (Aruba)
- Re: [Emu] Best practices for supplicants and auth… Jan-Frederik Rieckers
- Re: [Emu] Best practices for supplicants and auth… Alan DeKok
- Re: [Emu] Best practices for supplicants and auth… Cappalli, Tim (Aruba)
- Re: [Emu] Best practices for supplicants and auth… Alan DeKok
- Re: [Emu] Best practices for supplicants and auth… Cappalli, Tim (Aruba)
- Re: [Emu] Best practices for supplicants and auth… Alan DeKok
- Re: [Emu] Best practices for supplicants and auth… Cappalli, Tim (Aruba)
- Re: [Emu] Best practices for supplicants and auth… Alan DeKok
- Re: [Emu] Best practices for supplicants and auth… Owen Friel (ofriel)
- Re: [Emu] Best practices for supplicants and auth… Alan DeKok