IETF Logo Mail Archive

Re: [radext] BoF request for IETF 115

Alan DeKok <aland@deployingradius.com> Wed, 28 September 2022 11:53 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22ABFC15DD6E for <radext@ietfa.amsl.com>; Wed, 28 Sep 2022 04:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sApW5QRtrZsC for <radext@ietfa.amsl.com>; Wed, 28 Sep 2022 04:53:15 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AB65C14CE21 for <radext@ietf.org>; Wed, 28 Sep 2022 04:53:14 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id E76A31A2; Wed, 28 Sep 2022 11:53:11 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <41dc9d36-7601-8628-851c-7e171cbd6125@restena.lu>
Date: Wed, 28 Sep 2022 07:53:10 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <58052FF8-AE6D-47C4-B8D4-549F7DAAD5FD@deployingradius.com>
References: <CAOW+2ds134ZJ+somFXsL=27=pvtUT2hNU6G9_8cpM3VoWEcN9Q@mail.gmail.com> <ab874879-3cdd-6cdb-e9a0-07a405272088@iea-software.com> <788eea99-21ab-4cc7-8e3e-67a2f8f480d6@www.fastmail.com> <F773A4A3-99C3-4216-8813-45DA5606B8C9@deployingradius.com> <41dc9d36-7601-8628-851c-7e171cbd6125@restena.lu>
To: Stefan Winter <stefan.winter@restena.lu>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/XNFQGylk0IK9ZqVbnMqVozEOzSs>
Subject: Re: [radext] BoF request for IETF 115
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 11:53:17 -0000

On Sep 28, 2022, at 3:11 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
> From what I see in operations, the biggest problem people have with certificates seems to be that they have an expiry date you need to attend to.

  I agree 110%.  It's the biggest issue with certificates.

  Using a private CA is awkward, but isn't too bad.  Using public CAs is much more difficult.

> If PSKs are too low-entropy then one of the more recent public/private keypair constructs could be an alternative: RFC7250, "Using Raw Public Keys in TLS and DTLS".
> 
> This reduces "certificates" to the pure public/private keypair, with no expiry, no names in need of vetting, and able to meet all the expectations on entropy etc. It also integrates nicely into TLS, so no custom code beyond TLS itself is needed on client nor server.

  OpenSSL does not support it;  https://github.com/openssl/openssl/pull/18185
 
  Which means it's off the table for most people.

  But it's definitely worth mentioning in any document updates.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email