IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Eliot Lear <lear@cisco.com> Mon, 12 April 2021 18:08 UTC

Return-Path: <lear@cisco.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C02D3A114A for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 11:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.899
X-Spam-Level:
X-Spam-Status: No, score=-11.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ivhvnah3ynpo for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 11:08:13 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E103A1070 for <emu@ietf.org>; Mon, 12 Apr 2021 11:08:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1545; q=dns/txt; s=iport; t=1618250884; x=1619460484; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=n3Ysgg2EOMHvavbttyTQKKgGUxF2F2aSkWwZ1Q2depc=; b=gv9ZVjVs9kR7LO1qpSAxmE9FUZ+ah+uUrPcV8o0LhnFegM0CNDgFgXiQ UsOLIKDa4jgefQx/9L2uzNVJOiE05M1vrWx/Im+fTOruNDbH3rvaP3dwy 23H2Nm7+UQmnyZbwJPVu/uLVjgZwA3rH9sT+McxHqLJJG5lxGgxrjiJuo U=;
X-Files: signature.asc : 488
X-IPAS-Result: A0AeAAAZjHRglxbLJq1RCRoBAQEBAQEBAQEBAwEBAQESAQEBAQICAQEBAYISg3gBJxIxhEKJBIhanGUEBwEBAQoDAQE0BAEBhFACgXomOBMCAwEBAQMCAwEBAQEBBQEBAQIBBgQUAQEBAQEBAQFohSMHM4ZEAQEBAQIBI1YFCwsYKgICVwYTH4JSAYJmIawDd4EygQGEWIRoEIE5AYFSi3pDgguBEyccgjAvPoQWFIMvNYIrBIJFgVyCVJwkgSWdAoMVgz6BRZd5BB+DO5BwkEa0PAGEAQIEBgUCFoFrIYFbMxoIGxVlAYI+PhIZDoskgxSOMj8DLzgCBgEJAQEDCY0RAQE
IronPort-HdrOrdr: A9a23:bzL2oq9SpLJQHs/kXRRuk+BaI+orLtY04lQ7vn1ZYxY9SL36q+ mFmvMH2RjozAsAQX1Io7y9EYSJXH+0z/9IyKYLO7PKZmPbkUuuaLpv9I7zhwDnchefysd42b 17e6ZzTP38ZGIWse/f4A21V+kt28OG9qfAv4jj5kxgRw1rdK1shj0RYm2mO3Z7SwVcCZ0yGI D03LsjmxObZX8VYs6nb0NqY8H/obTw5fDbSC9DIxYm7QWU5AnYjILSIly/wgoUVS9JzPME92 XI+jaJgJmLgrWc1gLW0XPV4tBtvObZjvFHBMCKl6EuW1LRtjo=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,216,1613433600"; d="asc'?scan'208";a="34980134"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Apr 2021 18:07:39 +0000
Received: from [10.61.144.116] ([10.61.144.116]) by aer-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 13CI7cHb025231 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 12 Apr 2021 18:07:39 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <2A01F606-4B26-4B7D-BEA1-3BEF89A153DB@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_F1ED82D9-E7FB-467C-8E61-B96B2CD9FC21"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 12 Apr 2021 20:07:37 +0200
In-Reply-To: <2DE1DAF6-FA19-4F57-AF5C-BA6A39869B0C@deployingradius.com>
Cc: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
To: Alan DeKok <aland@deployingradius.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com> <CAOgPGoBm7pas9i6n-y8g1yqP+ea68=_8DueHqywDQLBcMGEJ9g@mail.gmail.com> <2DE1DAF6-FA19-4F57-AF5C-BA6A39869B0C@deployingradius.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.116, [10.61.144.116]
X-Outbound-Node: aer-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/zdgQrh69LCkgiOM3yg8OD0livl4>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 18:08:24 -0000


> On 12 Apr 2021, at 19:54, Alan DeKok <aland@deployingradius.com> wrote:
> 
> On Apr 12, 2021, at 12:22 PM, Joseph Salowey <joe@salowey.net> wrote:
>> [Joe]  without some sort of name matching using certs from a public CA is unwise.
> 
>  The only other alternative is to "pin" the server cert.  Many systems support this.  Perhaps mentioning [Trust On] First Use (TOFU) would help here.
> 

That won’t work for headless wireless.

Yes, we have kicked that hornet’s nest.  I hope everyone is wearing appropriate netting.

Eliot

v2.23.0 | Report a Bug | By Email