[radext] Certficate and certificate chain selection (Was: Re: Review of draft-ietf-radext-radiusdtls)
Heikki Vatiainen <hvn@radiatorsoftware.com> Wed, 20 March 2024 08:53 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14A8FC14F681 for <radext@ietfa.amsl.com>; Wed, 20 Mar 2024 01:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3Hej6-oD3wA for <radext@ietfa.amsl.com>; Wed, 20 Mar 2024 01:53:16 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84903C14F617 for <radext@ietf.org>; Wed, 20 Mar 2024 01:53:11 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-33e162b1b71so5489949f8f.1 for <radext@ietf.org>; Wed, 20 Mar 2024 01:53:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1710924788; x=1711529588; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=2s+YsPwObKZcucgt+/bY0ElGtMYFqZFmrmdSE2EMHk0=; b=n5qtTgm4x2lGGlSt3x+lGC3PYtHlrqwC3L+LsBVfoQHUqoH21Ofm+OMA17DToazvzy Cw0VOPTHR+dv8eiilXygOSTR2Jlp2fWd9uBdD5YDhYtN7yfJgz776w2GvB92T7A1DVV7 LbtmH1LrJlc6pSAlXvKimckwlKze4ETGMFlipf6fzBCylZf1yHZVUYpn42b937DolUZz GZWBW+Tj4B9OTNlhpudjeZGT/4F2h3Q7dWuNOUZZN6BerrZDAMnJ8S3le6jzSFXBoS8p F3Qpd9v+dSABiQrvnW9mmEyHUHh80tNTZFP5RW3oxGlr/cH9lYkHngTx4dtumuYo8J55 C9gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710924788; x=1711529588; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2s+YsPwObKZcucgt+/bY0ElGtMYFqZFmrmdSE2EMHk0=; b=sCjp5+S1OhHD8/XHIIdIqQmkCWa6IPcRR9Z9X2PfdyKvLRuyr1J0vXzfvKI3cWk/lv vdODz4E6AOyzFzAdkFbMUOdk082JLzo1CPKa1je7xcY/Qm1TG/eNcAfORay3spXyObZn TY9romH1T/BH2p//qQTUB4TbUmZQzyZGzjmHTa8hZtXAQfC4OgQl/QqYM2xOoRakrfkd tM5p1uXygzoYUYRqC6BQtMFb9/s1p60bl+Rrto4HfyOH1P2379xhNGvpIr89iusEp4V3 AGiJnyPhdRAyHDBCeCu85LH8WFJH+GoPF6bikbttDKk7W6lyFNwPLrKErWbG9JRrTSqo 1R0g==
X-Gm-Message-State: AOJu0Yx/cIWagfdVAJVcSuWLK5Y5PCIJqLIahc57tzp8liqXlshL3dbH yPivNrWVZlkmOGl+oPSebigNX0rjt/NVD2IoRr9vTbRBzBI+3tBuIEGFmSEPRF5e+tImKE8D6pc BBTrbip0QF5GgIvMmMrY3PU09wVYWTF5ulvH9PmTOjrC5cDu99g==
X-Google-Smtp-Source: AGHT+IEPUpgXFzxA/gA9oBmmRqQF3Gv6MS6sVd67549CCx0W5iU6MZJaVs8kkE39NaLJpacwurNiManHBmB4vEWRiLo=
X-Received: by 2002:a05:6000:144a:b0:33b:62c0:6181 with SMTP id v10-20020a056000144a00b0033b62c06181mr4318229wrx.42.1710924788432; Wed, 20 Mar 2024 01:53:08 -0700 (PDT)
MIME-Version: 1.0
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <16f5c0c1-6c69-4d85-83c7-fe4fbdae5aa4@switch.ch>
In-Reply-To: <16f5c0c1-6c69-4d85-83c7-fe4fbdae5aa4@switch.ch>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Wed, 20 Mar 2024 18:52:51 +1000
Message-ID: <CAA7Lko-mk78rGLESqxVSc=GHSz4MwbXqBNqjsiVcnr2iNznMmg@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="000000000000409dd5061413b85e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/mRVOCYKXcQddXvwA8EfM0pFsyx4>
Subject: [radext] Certficate and certificate chain selection (Was: Re: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 08:53:21 -0000
On Tue, 19 Mar 2024 at 23:27, Fabian Mauchle <fabian.mauchle= 40switch.ch@dmarc.ietf.org> wrote: > On 11.03.2024 14:57, Alan DeKok wrote: > > 4.2.1. > > > > ... Implementations SHOULD indicate their trusted Certification > authorities (CAs). > > > > Do RADUUS/TLS implementations do this today? > > radsecproxy does, on the server side. I.e. it will send the trusted CA > list in the ServerHello, but the client side currently ignores it (since > it can't handle multiple client certificates anyway). > I haven't seen certificate selection used on server or client side. My initial reaction for this is that static configuration has worked fine so far. Then again, when the use of RADIUS/TLS becomes more common, static configuration may be too restrictive. Therefore: - If SHOULD level key word is kept for trusted CA list, does it apply for both clients and servers? - SHOULD implies that the receiver typically takes action when it receives the list, yes? - Related to CA list, should use of Server Name Indication (SNI) also be discussed? - At the moment, do we know what is good advice (secure, matches real needs, ...)? For example, there's text in the draft about 'clients configured by their source IP address'. If such a client is creative with the CA list and SNI options, would they be able establish a TLS connection they otherwise wouldn't be able to? -- Heikki Vatiainen hvn@radiatorsoftware.com
- [radext] Review of draft-ietf-radext-radiusdtls Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- [radext] Certficate and certificate chain selecti… Heikki Vatiainen
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- [radext] RADIUS/(D)TLS port usage (was: Review of… Jan-Frederik Rieckers
- Re: [radext] Certficate and certificate chain sel… Alan DeKok
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- Re: [radext] Review of draft-ietf-radext-radiusdt… Jan-Frederik Rieckers
- Re: [radext] Review of draft-ietf-radext-radiusdt… Fabian Mauchle
- Re: [radext] Server identity and RFC7585bis (was:… Mark Grayson (mgrayson)
- [radext] Accounting and Protocol-Error (was: Revi… Jan-Frederik Rieckers
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Alan DeKok
- [radext] Server identity and RFC7585bis (was: Rev… Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] RADIUS/(D)TLS port usage (was: Revie… Michael Richardson
- Re: [radext] Server identity and RFC7585bis (was:… Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Stephen Farrell
- Re: [radext] Server identity and RFC7585bis (was:… Alan DeKok
- Re: [radext] Server identity and RFC7585bis Mark Grayson (mgrayson)
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Jan-Frederik Rieckers
- Re: [radext] Server identity and RFC7585bis Alexander Clouter
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Michael Richardson
- Re: [radext] Server identity and RFC7585bis Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Jan-Frederik Rieckers
- Re: [radext] Accounting and Protocol-Error (was: … Alan DeKok
- Re: [radext] Server identity in RADIUS/(D)TLS-bis Alan DeKok
- Re: [radext] Server identity and RFC7585bis Fabian Mauchle
- Re: [radext] Session closure in DTLS (was: Review… Jan-Frederik Rieckers
- Re: [radext] Session closure in DTLS (was: Review… Alan DeKok
- Re: [radext] Session closure in DTLS Fabian Mauchle
- Re: [radext] Session closure in DTLS Alan DeKok