[radext] draft-ietf-radext-radiusdtls Certificate Identities
Fabian Mauchle <fabian.mauchle@switch.ch> Tue, 19 March 2024 19:51 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3612DC14F689 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 12:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS519oZ83Rlb for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 12:51:39 -0700 (PDT)
Received: from mx4.switch.ch (mx4.switch.ch [85.235.88.35]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C916C14CEFA for <radext@ietf.org>; Tue, 19 Mar 2024 12:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=4650; s=selector1; t=1710877900; h=message-id:date:mime-version:to:from:subject: content-transfer-encoding; bh=Anm4+ksXbxutwVCf5mQJ756CcfBD3+EBrtM59rG8n/8=; b=aK53O83ioG36LPK54V11kSgIUp8WHAkoZT5qhTJuZrb+YMKnNKYga9GJ 9I+m5blui6keI6bYdsZENwDmb+gxMdps4ylOrH5AZN2Lpmphy6NQisgyR zts5ISfdjJDjeNr7jA0RcblYOTnhRnpuZBGJs55PIXmF4OEt1JqO8uYru 6iX3UXopbr/9vC1l8RTcYC73v7goKwuaATdfkPEZLy1t72gVTEPkyyrKW UoNQk5Xgx7JLPTE4FAkjDG3Fcafc2qmloJzlaZ5oBUrfVE3D+boaaAH99 mxSkzsFKarUqeTNCrirHHJIL6Y65TzgEzhN0Gf3ke9FeAYHBEnrhHVSPk w==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-AV: E=Sophos;i="6.07,137,1708383600"; d="scan'208";a="7428901"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx4int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Mar 2024 20:51:36 +0100
Received: from [130.59.116.140] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.32; Tue, 19 Mar 2024 20:51:35 +0100
Message-ID: <f7b26c09-85da-4b54-b6cb-c30dbb9c4344@switch.ch>
Date: Tue, 19 Mar 2024 20:51:35 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
Content-Language: en-US, de-CH
From: Fabian Mauchle <fabian.mauchle@switch.ch>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S05-EXC3.swd.switch.ch (172.16.60.14) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wz9jbL24MBZAk4tiAMHoyaHdsO4>
Subject: [radext] draft-ietf-radext-radiusdtls Certificate Identities
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 19:51:44 -0000
I almost forgot, at IETF118 I volunteered to provide a proposal for
applying RFC 9525 to section 4.2.1. Here we go:
4.2.1. Authentication using X.509 certificates with PKIX trust model
All RADIUS/(D)TLS server implementations MUST implement this model.
RADIUS/(D)TLS client implementations SHOULD implement this model, but
MUST implement either this or TLS-PSK
If implemented it MUST use the following rules:
- Implementations MUST allow the configuration of a list of trusted
Certificate Authorities for new TLS sessions. This list SHOULD be
application specific and not use a global system trust store.
- Certificate validation MUST include the verification rules as per
[RFC5280].
- Implementations SHOULD indicate their trusted Certification
authorities (CAs). See [RFC5246], Section 7.4.4 and [RFC6066], Section
6 for TLS 1.2 and [RFC8446], Section 4.2.4 for TLS 1.3
RADIUS/(D)TLS clients and server SHOULD generally follow [RFC9525] when
validating peer identities. Specific details are provided below:
- The Common Name RDN MUST NOT be used to identify peers.
- If configured by the administrator, the identity check MAY be omitted
after the [RFC5280] trust chain checks. The certificate MUST then be
validated using a certificate policy OID unless unless both peers are
part of a trusted network.
- Implementations MAY match wildcards in the identifiers of DNS names
and realm names, but only in the left-most label.
- RADIUS/(D)TLS clients validate the servers identity to match their
local configuration:
* If the server was configured as a DNS name, the name is matched
against the presented names from the subjectAltName:DNS extension.
* If the server was configured by IP address, the address is matched
against the presented addresses in the subjectAltName:iPAddr extension.
* If the server was dynamically discovered as per [RFC7585] it MUST
perform the following checks, accepting the identity on the first match.
If at any step the server presents the required extension but which does
not match, the servers identity MUST be considered invalid.
o The realm which was used as input to the the dynamic discovery is
matched against the presented realm names in the subjectAltName:naiRealm
extension.
o The SRV service name yielded by the discovery process is matched
against the presented service name in the subjectAltName:SRVName extension.
o The DNS name yielded by the by the discovery process is matched
against the presented names from the subjectAltName:DNS extension
o Since the discovery process by itself is not secured, additional
measures SHOULD be taken:
- Implementations MAY require the use of DNSSEC [RFC4033] when
validating SRV service name and DNS name yielded by the discovery
process. In that case, any step for which the input was not DNSSEC
signed MUST be skipped.
- Implementations MAY require additional verification of policy
OIDs, preferably using a private CA.
- RADIUS/(D)TLS servers validate the certificate of the RADIUS/(D)TLS
client against a local database of acceptable clients. The database may
enumerate acceptable clients either by IP address, by a DNS name.
* For clients configured by DNS name, the configured name is matched
against the presented names from the subjectAltName:DNS extension.
* For clients configured by their source IP address, the configured IP
address is matched against the presented addresses in the
subjectAltName:iPAddr extension
Note: the source IP address MUST be matched exactly, a subnet match
is not possible.
- Implementations MAY allow a configuration of a set of additional
properties of the certificate to check for a peer's authorizationvto
communicate (e.g. a set of allowed values in subjectAltName:URI or a set
of allowed X.509v3 Certificate Policies).
- When the configured trust base changes (e.g., removal of a CA from the
list of trusted CAs; issuance of a new CRL for a given CA),
implementations MUST reassess continued authorization of all active
connections.
Note: with TLS1.3, renegotiation is no longer available to fulfill
this requirement.
(hope the formatting doesn't get messed up too much).
It's just a proposal, please scrutinize carefully...
This section only talks about certificate/identity verification. I think
there should also be some guidance how to issue said certificate (which
subjectAltName to include under which circumstance).
--
Fabian Mauchle
Network
NOC: +41 44 268 15 30
Direct:+41 44 268 15 39
Switch
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
- [radext] draft-ietf-radext-radiusdtls Certificate… Fabian Mauchle