[radext] draft-ietf-radext-radiusdtls Certificate Identities
Fabian Mauchle <fabian.mauchle@switch.ch> Tue, 19 March 2024 19:51 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3612DC14F689 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 12:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS519oZ83Rlb for <radext@ietfa.amsl.com>; Tue, 19 Mar 2024 12:51:39 -0700 (PDT)
Received: from mx4.switch.ch (mx4.switch.ch [85.235.88.35]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C916C14CEFA for <radext@ietf.org>; Tue, 19 Mar 2024 12:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=4650; s=selector1; t=1710877900; h=message-id:date:mime-version:to:from:subject: content-transfer-encoding; bh=Anm4+ksXbxutwVCf5mQJ756CcfBD3+EBrtM59rG8n/8=; b=aK53O83ioG36LPK54V11kSgIUp8WHAkoZT5qhTJuZrb+YMKnNKYga9GJ 9I+m5blui6keI6bYdsZENwDmb+gxMdps4ylOrH5AZN2Lpmphy6NQisgyR zts5ISfdjJDjeNr7jA0RcblYOTnhRnpuZBGJs55PIXmF4OEt1JqO8uYru 6iX3UXopbr/9vC1l8RTcYC73v7goKwuaATdfkPEZLy1t72gVTEPkyyrKW UoNQk5Xgx7JLPTE4FAkjDG3Fcafc2qmloJzlaZ5oBUrfVE3D+boaaAH99 mxSkzsFKarUqeTNCrirHHJIL6Y65TzgEzhN0Gf3ke9FeAYHBEnrhHVSPk w==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-AV: E=Sophos;i="6.07,137,1708383600"; d="scan'208";a="7428901"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx4int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Mar 2024 20:51:36 +0100
Received: from [130.59.116.140] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.32; Tue, 19 Mar 2024 20:51:35 +0100
Message-ID: <f7b26c09-85da-4b54-b6cb-c30dbb9c4344@switch.ch>
Date: Tue, 19 Mar 2024 20:51:35 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
Content-Language: en-US, de-CH
From: Fabian Mauchle <fabian.mauchle@switch.ch>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S05-EXC3.swd.switch.ch (172.16.60.14) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/wz9jbL24MBZAk4tiAMHoyaHdsO4>
Subject: [radext] draft-ietf-radext-radiusdtls Certificate Identities
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 19:51:44 -0000
I almost forgot, at IETF118 I volunteered to provide a proposal for applying RFC 9525 to section 4.2.1. Here we go: 4.2.1. Authentication using X.509 certificates with PKIX trust model All RADIUS/(D)TLS server implementations MUST implement this model. RADIUS/(D)TLS client implementations SHOULD implement this model, but MUST implement either this or TLS-PSK If implemented it MUST use the following rules: - Implementations MUST allow the configuration of a list of trusted Certificate Authorities for new TLS sessions. This list SHOULD be application specific and not use a global system trust store. - Certificate validation MUST include the verification rules as per [RFC5280]. - Implementations SHOULD indicate their trusted Certification authorities (CAs). See [RFC5246], Section 7.4.4 and [RFC6066], Section 6 for TLS 1.2 and [RFC8446], Section 4.2.4 for TLS 1.3 RADIUS/(D)TLS clients and server SHOULD generally follow [RFC9525] when validating peer identities. Specific details are provided below: - The Common Name RDN MUST NOT be used to identify peers. - If configured by the administrator, the identity check MAY be omitted after the [RFC5280] trust chain checks. The certificate MUST then be validated using a certificate policy OID unless unless both peers are part of a trusted network. - Implementations MAY match wildcards in the identifiers of DNS names and realm names, but only in the left-most label. - RADIUS/(D)TLS clients validate the servers identity to match their local configuration: * If the server was configured as a DNS name, the name is matched against the presented names from the subjectAltName:DNS extension. * If the server was configured by IP address, the address is matched against the presented addresses in the subjectAltName:iPAddr extension. * If the server was dynamically discovered as per [RFC7585] it MUST perform the following checks, accepting the identity on the first match. If at any step the server presents the required extension but which does not match, the servers identity MUST be considered invalid. o The realm which was used as input to the the dynamic discovery is matched against the presented realm names in the subjectAltName:naiRealm extension. o The SRV service name yielded by the discovery process is matched against the presented service name in the subjectAltName:SRVName extension. o The DNS name yielded by the by the discovery process is matched against the presented names from the subjectAltName:DNS extension o Since the discovery process by itself is not secured, additional measures SHOULD be taken: - Implementations MAY require the use of DNSSEC [RFC4033] when validating SRV service name and DNS name yielded by the discovery process. In that case, any step for which the input was not DNSSEC signed MUST be skipped. - Implementations MAY require additional verification of policy OIDs, preferably using a private CA. - RADIUS/(D)TLS servers validate the certificate of the RADIUS/(D)TLS client against a local database of acceptable clients. The database may enumerate acceptable clients either by IP address, by a DNS name. * For clients configured by DNS name, the configured name is matched against the presented names from the subjectAltName:DNS extension. * For clients configured by their source IP address, the configured IP address is matched against the presented addresses in the subjectAltName:iPAddr extension Note: the source IP address MUST be matched exactly, a subnet match is not possible. - Implementations MAY allow a configuration of a set of additional properties of the certificate to check for a peer's authorizationvto communicate (e.g. a set of allowed values in subjectAltName:URI or a set of allowed X.509v3 Certificate Policies). - When the configured trust base changes (e.g., removal of a CA from the list of trusted CAs; issuance of a new CRL for a given CA), implementations MUST reassess continued authorization of all active connections. Note: with TLS1.3, renegotiation is no longer available to fulfill this requirement. (hope the formatting doesn't get messed up too much). It's just a proposal, please scrutinize carefully... This section only talks about certificate/identity verification. I think there should also be some guidance how to issue said certificate (which subjectAltName to include under which circumstance). -- Fabian Mauchle Network NOC: +41 44 268 15 30 Direct:+41 44 268 15 39 Switch Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
- [radext] draft-ietf-radext-radiusdtls Certificate… Fabian Mauchle