IETF Logo Mail Archive

Re: [radext] #148: Review of dynamic-discovery by Jim Schaad

"Jim Schaad" <ietf@augustcellars.com> Mon, 01 July 2013 20:37 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B3B11E826E for <radext@ietfa.amsl.com>; Mon, 1 Jul 2013 13:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkTCxgvWKTI2 for <radext@ietfa.amsl.com>; Mon, 1 Jul 2013 13:36:59 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 53A3211E8254 for <radext@ietf.org>; Mon, 1 Jul 2013 13:36:59 -0700 (PDT)
Received: from Philemon (173-8-216-38-Oregon.hfc.comcastbusiness.net [173.8.216.38]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 1D1C338EF1; Mon, 1 Jul 2013 13:36:59 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Stefan Winter' <stefan.winter@restena.lu>, 'Sam Hartman' <hartmans@painless-security.com>
References: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org> <512E23F3.3000307@restena.lu> <tslip5dn5jb.fsf@mit.edu> <512E2846.5090702@restena.lu> <tsl621dn4gq.fsf@mit.edu> <51CAF86E.30504@restena.lu>
In-Reply-To: <51CAF86E.30504@restena.lu>
Date: Mon, 01 Jul 2013 13:36:02 -0700
Message-ID: <011501ce769a$9a695ac0$cf3c1040$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG6BiECksJl4xbIhvfkRt9hc11tPgGl6Lx2Aj/W81YB2RkCxADlQHzqAcEQuuGZNf8TkA==
Content-Language: en-us
Cc: radext@ietf.org
Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2013 20:37:05 -0000

> -----Original Message-----
> From: radext-bounces@ietf.org [mailto:radext-bounces@ietf.org] On Behalf
> Of Stefan Winter
> Sent: Wednesday, June 26, 2013 7:19 AM
> To: Sam Hartman
> Cc: radext@ietf.org
> Subject: Re: [radext] #148: Review of dynamic-discovery by Jim Schaad
> 
> Hi,
> 
> > I strongly favor the first.  I agree that it means that you need to
> > have a field in the cert that contains the realm's name.
> > There are fairly obvious ways this can be done in a SAN.
> > RFc 4985 is an example of how microsoft does this.
> > My concern with the dnssec approach is that while it's easy to
> > specify,
> >
> > I'm concerned that dnssec APIs are not widely available enough at
> > userspace levels outside the resolver that I'd have confidence
> > radsecproxy or freeradius or other radsec implementations could
> > actually implement dnssec validation in the radius proxy right now.
> 
> My current working copy defines NAIRealm as a new otherName. At least I
> hope that's what it does; I mostly copy&pasted from RFC 4985 and replaced
> the strings.
> 
> I had to pick an integer for the object identifier; but couldn't find the
registry
> which holds all the assigned values. So I had to guess - I picked { id-on
9 }.
> Beat me with a club if I stole someone's ID. Does the usage of this
pobject
> ID need to be registered with IANA? If so, let me know and I'll add a note
to
> IANA considerations.
> 
> I also copied the 1993 ASN syntax (assuming that we really don't have to
> bother the 1988 one?) into an appendix A.
> 
> The text now reads:
> 
> "2.3.  Definition of the X.509 certificate property
>       SubjectAltName:otherName:NAIRealm
> 
>    This specification retrieves IP addresses and port numbers from the
>    Domain Name System which are subsequently used to authenticate users
>    via the RADIUS/TLS protocol.  Since the Domain Name System is not
>    necessarily trustworthy (e.g. if DNSSEC is not deployed for the
>    queried domain name), it is important to verify that the server which
>    was contacted is authorized to service requests for the user which
>    triggered the discovery process.
> 
>    The input to the algorithm is a NAI realm as specified in the next
>    section.  As a consequence, the X.509 certificate of the server which
>    is ultimately contacted for user authentication needs to be able to
>    express that it is authorized to handle requests for that realm.
> 
>    Current subjectAltName fields do not semantically allow to express an
>    NAI realm; the field subjectAltName:dNSName is syntactically a good
>    match but would inappropriately conflate DNS names and NAI realm
>    names.  Thus, this specification defines a new subjectAltName field
>    to hold either a single NAI realm name or a wildcard name matching a
>    set of NAI realms.
> 
>    This section defines the NAIRealm name as a form of otherName from
>    the GeneralName structure in SubjectAltName defined in [RFC5280].
> 
>       id-on-nai OBJECT IDENTIFIER ::= { id-on 9 }
> 
>       NAIRealm ::= IA5String (SIZE (1..MAX))

Are you sure you want NAIRealms to be IA5String and not UTF8String?  This is
an I18N question.

> 
>    The NAIRealm, if present, MUST contain an NAI realm as defined in
>    TODO: the new NAI document.  It may substitute labels on all dot-
>    separated parts of the NAI with the character "*" to indicate a
>    wildcard match for "all labels in this part".

This text would appear to say that foo.*.bar is a legal wildcard NAI realm.
Is that what you want?

> 
>    Appendix A contains the ASN.1 definition of the above objects."
> 
> And that appendix is:
> 
> "Appendix A.  Appendix A: ASN.1 Syntax of NAIRealm
> 
> 
> 
>       PKIXServiceNameSAN93 {iso(1) identified-organization(3) dod(6)
>           internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
>           id-mod-dns-srv-name-93(40) }
> 
>       DEFINITIONS EXPLICIT TAGS ::=
> 
>       BEGIN
> 
>       -- EXPORTS ALL --
> 
>       IMPORTS
> 
>          id-pkix
>                FROM PKIX1Explicit88 { iso(1) identified-organization(3)
>                dod(6) internet(1) security(5) mechanisms(5) pkix(7)
>                id-mod(0) id-pkix1-explicit(18) } ;
>                 -- from RFC 3280 [N2]
> 
> 
>       -- In the GeneralName definition using the 1993 ASN.1 syntax
>       -- includes:
> 
>       OTHER-NAME ::= TYPE-IDENTIFIER
> 
>       -- Service Name Object Identifier
> 
>       id-on   OBJECT IDENTIFIER ::= { id-pkix 8 }
> 
>       id-on-nai OBJECT IDENTIFIER ::= { id-on 9 }
> 
>       -- Service Name
> 
>       naiRealm OTHER-NAME ::= { NAIRealm IDENTIFIED BY { id-on-nai }}
> 
>       NAIRealm ::= IA5String (SIZE (1..MAX))
> 
>       END"
> 
> The text specifying that checking for this name is MTI is not written yet;
> please wait for day++.
> 
> Stefan
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473

v2.23.0 | Report a Bug | By Email