Re: Security for the IETF wireless network
Stefan Winter <stefan.winter@restena.lu> Fri, 25 July 2014 15:39 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6718C1A033A for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 08:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXQJktdOl27Z for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 08:39:27 -0700 (PDT)
Received: from smtp.restena.lu (legolas.restena.lu [IPv6:2001:a18:1::34]) by ietfa.amsl.com (Postfix) with ESMTP id 53A331A0337 for <ietf@ietf.org>; Fri, 25 Jul 2014 08:39:27 -0700 (PDT)
Received: from smtp.restena.lu (localhost [127.0.0.1]) by smtp.restena.lu (Postfix) with ESMTP id B33FCF1068; Fri, 25 Jul 2014 17:39:26 +0200 (CEST)
Received: from viper.local (unknown [158.64.15.196]) by smtp.restena.lu (Postfix) with ESMTPSA id 42C91F1065; Fri, 25 Jul 2014 17:39:26 +0200 (CEST)
Message-ID: <53D27A2D.2060504@restena.lu>
Date: Fri, 25 Jul 2014 17:39:25 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bill Fenner <fenner@fenron.com>
Subject: Re: Security for the IETF wireless network
References: <0FE63216-9BE8-450F-80FB-D1DB6166DFEF@ietf.org> <53D17359.2030505@gmail.com> <CFF7BAFE.28A14%wesley.george@twcable.com> <53D25789.8000804@restena.lu> <CAATsVbY44t7QvDNe4UcBfM1MpzkphZYCyHPz=Mwax95fSpjmFg@mail.gmail.com> <53D267FF.3060102@restena.lu> <CAATsVbbmYaF0rq2a7wpHn8YguaMP1pNr=pcieU7h1iJO5fJxag@mail.gmail.com>
In-Reply-To: <CAATsVbbmYaF0rq2a7wpHn8YguaMP1pNr=pcieU7h1iJO5fJxag@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="qo2WuMjuSJI1cq2tOcu1CH9tomIqos4vu"
X-Virus-Scanned: ClamAV
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/HtjYlk2tt0RK88WaL5D0jF8XAI8
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 15:39:29 -0000
Hi, > Meaning, you'd be happy if we replace "Do not validate server > cert" with "If you'd like to validate the server cert, you can import > the public key <a href="...">here</a>, or the fingerprint is > 53 63 6f 6f 62 79 20 44 6f 6f 62 79 20 44 6f 6f 21"? Basically, yes. Client device UI typically offers two ways for cert validation; ideally, you'd put both on the website. a) if you just click/tap to connect (let's call it "ignorance mode ;-) ", all PKIX validation is ignored, UIs typically only present you with the CN of the *server cert* and the fingerprint of the *server cert*. So the IETF web site should publish name and fingerprint of the server cert (on its HTTPS variant of course, to establish trust in this information in the first place) b) if you are a good user, you'd establish the PKIX CA root on your client device. For that, the IETF web site should provide the *root CA* certificate for download (plus its fingerprint for extra paranoia checks), along with the expected *server CN*. Since you provision the CA cert anyways, it doesn't matter if it's a commercial CA or your own purpose-built one. If you want to roll your own, eduroam folks have a huge load of instructions and considerations which cert properties should be in that certificate. See here: https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations Of course you can add PDF instructions for Windows users how to import a CA etc., and many networks do that. Or you make use of such automatic installer tools which do the job on the user's device automatically. I think I mentioned one already ;-) , and that I'm happy to give the Enterprise edition of it away for free to the IETF network: https://802.1x-config.org . Greetings, Stefan Winter
- Re: Security for the IETF wireless network Brian E Carpenter
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network George, Wes
- Re: Security for the IETF wireless network George, Wes
- Hotel networks (Was Re: Security for the IETF wir… Steve Crocker
- Re: Security for the IETF wireless network joel jaeggli
- Re: [90all] Security for the IETF wireless network Randall Gellens
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network Tim Wicinski
- Re: [90all] Security for the IETF wireless network Randy Bush
- Re: Hotel networks (Was Re: Security for the IETF… John C Klensin
- Re: Hotel networks (Was Re: Security for the IETF… Steve Crocker
- Re: Hotel networks (Was Re: Security for the IETF… joel jaeggli
- Re: Hotel networks (Was Re: Security for the IETF… Steve Crocker
- Re: Hotel networks (Was Re: Security for the IETF… George Michaelson
- Re: Hotel networks (Was Re: Security for the IETF… John C Klensin
- Re: Hotel networks (Was Re: Security for the IETF… Stefan Winter
- Re: Security for the IETF wireless network Bill Fenner
- Re: Security for the IETF wireless network George Michaelson
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network Brian E Carpenter
- Re: Security for the IETF wireless network Bill Fenner
- Re: Security for the IETF wireless network Bill Fenner
- Re: Security for the IETF wireless network John Levine
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network Stefan Winter
- Re: Hotel networks (Was Re: Security for the IETF… Samuel Weiler
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Niels Dettenbach (Syndicat IT&Internet)
- Re: Hotel networks (Was Re: Security for the IETF… Stefan Winter
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Melinda Shore
- Re: Security for the IETF wireless network Michael Richardson