IETF Logo Mail Archive

[radext] Certficate and certificate chain selection (Was: Re: Review of draft-ietf-radext-radiusdtls)

Heikki Vatiainen <hvn@radiatorsoftware.com> Wed, 20 March 2024 08:53 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14A8FC14F681 for <radext@ietfa.amsl.com>; Wed, 20 Mar 2024 01:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3Hej6-oD3wA for <radext@ietfa.amsl.com>; Wed, 20 Mar 2024 01:53:16 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84903C14F617 for <radext@ietf.org>; Wed, 20 Mar 2024 01:53:11 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-33e162b1b71so5489949f8f.1 for <radext@ietf.org>; Wed, 20 Mar 2024 01:53:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1710924788; x=1711529588; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=2s+YsPwObKZcucgt+/bY0ElGtMYFqZFmrmdSE2EMHk0=; b=n5qtTgm4x2lGGlSt3x+lGC3PYtHlrqwC3L+LsBVfoQHUqoH21Ofm+OMA17DToazvzy Cw0VOPTHR+dv8eiilXygOSTR2Jlp2fWd9uBdD5YDhYtN7yfJgz776w2GvB92T7A1DVV7 LbtmH1LrJlc6pSAlXvKimckwlKze4ETGMFlipf6fzBCylZf1yHZVUYpn42b937DolUZz GZWBW+Tj4B9OTNlhpudjeZGT/4F2h3Q7dWuNOUZZN6BerrZDAMnJ8S3le6jzSFXBoS8p F3Qpd9v+dSABiQrvnW9mmEyHUHh80tNTZFP5RW3oxGlr/cH9lYkHngTx4dtumuYo8J55 C9gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710924788; x=1711529588; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2s+YsPwObKZcucgt+/bY0ElGtMYFqZFmrmdSE2EMHk0=; b=sCjp5+S1OhHD8/XHIIdIqQmkCWa6IPcRR9Z9X2PfdyKvLRuyr1J0vXzfvKI3cWk/lv vdODz4E6AOyzFzAdkFbMUOdk082JLzo1CPKa1je7xcY/Qm1TG/eNcAfORay3spXyObZn TY9romH1T/BH2p//qQTUB4TbUmZQzyZGzjmHTa8hZtXAQfC4OgQl/QqYM2xOoRakrfkd tM5p1uXygzoYUYRqC6BQtMFb9/s1p60bl+Rrto4HfyOH1P2379xhNGvpIr89iusEp4V3 AGiJnyPhdRAyHDBCeCu85LH8WFJH+GoPF6bikbttDKk7W6lyFNwPLrKErWbG9JRrTSqo 1R0g==
X-Gm-Message-State: AOJu0Yx/cIWagfdVAJVcSuWLK5Y5PCIJqLIahc57tzp8liqXlshL3dbH yPivNrWVZlkmOGl+oPSebigNX0rjt/NVD2IoRr9vTbRBzBI+3tBuIEGFmSEPRF5e+tImKE8D6pc BBTrbip0QF5GgIvMmMrY3PU09wVYWTF5ulvH9PmTOjrC5cDu99g==
X-Google-Smtp-Source: AGHT+IEPUpgXFzxA/gA9oBmmRqQF3Gv6MS6sVd67549CCx0W5iU6MZJaVs8kkE39NaLJpacwurNiManHBmB4vEWRiLo=
X-Received: by 2002:a05:6000:144a:b0:33b:62c0:6181 with SMTP id v10-20020a056000144a00b0033b62c06181mr4318229wrx.42.1710924788432; Wed, 20 Mar 2024 01:53:08 -0700 (PDT)
MIME-Version: 1.0
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <16f5c0c1-6c69-4d85-83c7-fe4fbdae5aa4@switch.ch>
In-Reply-To: <16f5c0c1-6c69-4d85-83c7-fe4fbdae5aa4@switch.ch>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Wed, 20 Mar 2024 18:52:51 +1000
Message-ID: <CAA7Lko-mk78rGLESqxVSc=GHSz4MwbXqBNqjsiVcnr2iNznMmg@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="000000000000409dd5061413b85e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/mRVOCYKXcQddXvwA8EfM0pFsyx4>
Subject: [radext] Certficate and certificate chain selection (Was: Re: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 08:53:21 -0000

On Tue, 19 Mar 2024 at 23:27, Fabian Mauchle <fabian.mauchle=
40switch.ch@dmarc.ietf.org> wrote:


> On 11.03.2024 14:57, Alan DeKok wrote:
> > 4.2.1.
> >
> >       ... Implementations SHOULD indicate their trusted Certification
> authorities (CAs).
> >
> >    Do RADUUS/TLS implementations do this today?
>


> radsecproxy does, on the server side. I.e. it will send the trusted CA
> list in the ServerHello, but the client side currently ignores it (since
> it can't handle multiple client certificates anyway).
>

I haven't seen certificate selection used on server or client side. My
initial reaction for this is that static configuration has worked fine so
far. Then again, when the use of RADIUS/TLS becomes more common, static
configuration may be too restrictive.

Therefore:
- If SHOULD level key word is kept for trusted CA list, does it apply for
both clients and servers?
- SHOULD implies that the receiver typically takes action when it receives
the list, yes?
- Related to CA list, should use of Server Name Indication (SNI) also be
discussed?
- At the moment, do we know what is good advice (secure, matches real
needs, ...)?

For example, there's text in the draft about 'clients configured by their
source IP address'. If such a client is creative with the CA list and SNI
options, would they be able establish a TLS connection they otherwise
wouldn't be able to?

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email