IETF Logo Mail Archive

Re: [radext] Certficate and certificate chain selection (Was: Re: Review of draft-ietf-radext-radiusdtls)

Alan DeKok <aland@deployingradius.com> Tue, 09 April 2024 13:01 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F32BC14F69C for <radext@ietfa.amsl.com>; Tue, 9 Apr 2024 06:01:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ljfiix9NDWZ for <radext@ietfa.amsl.com>; Tue, 9 Apr 2024 06:01:07 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E8CC14F6A0 for <radext@ietf.org>; Tue, 9 Apr 2024 06:01:06 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 1A5B08D; Tue, 9 Apr 2024 13:01:02 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAA7Lko-mk78rGLESqxVSc=GHSz4MwbXqBNqjsiVcnr2iNznMmg@mail.gmail.com>
Date: Tue, 09 Apr 2024 09:01:01 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <580E1573-FA7E-4F46-BDED-4BC5B61B5C29@deployingradius.com>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <16f5c0c1-6c69-4d85-83c7-fe4fbdae5aa4@switch.ch> <CAA7Lko-mk78rGLESqxVSc=GHSz4MwbXqBNqjsiVcnr2iNznMmg@mail.gmail.com>
To: Heikki Vatiainen <hvn@radiatorsoftware.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/xQ72fNlpc8v4wQPV7nGR5CbHmEc>
Subject: Re: [radext] Certficate and certificate chain selection (Was: Re: Review of draft-ietf-radext-radiusdtls)
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 13:01:12 -0000

On Mar 20, 2024, at 4:52 AM, Heikki Vatiainen <hvn@radiatorsoftware.com> wrote:
> I haven't seen certificate selection used on server or client side. My initial reaction for this is that static configuration has worked fine so far. Then again, when the use of RADIUS/TLS becomes more common, static configuration may be too restrictive.

  I think if we can "look ahead" to allowing dynamic certs, it would be useful.  It's been a decade since the last RADIUS + TLS document update.  We shouldn't wait another decade for the next one.

> Therefore:
> - If SHOULD level key word is kept for trusted CA list, does it apply for both clients and servers?

  I think so, yes.

> - SHOULD implies that the receiver typically takes action when it receives the list, yes?

  Yes.

> - Related to CA list, should use of Server Name Indication (SNI) also be discussed?

  Radsecproxy and FreeRADIUS support SNI.  I think that should be a MUST.

  I've also seen deployments where a hosting provider runs RADIUS for multiple domains on one server.  The "solution" to multiple domains is to issue each domain a certificate signed by the *hosting provider*.  So when domains move providers, all of the certs have to be updated.  This is less than optimal.

> - At the moment, do we know what is good advice (secure, matches real needs, ...)?

   I'm not sure we do.  We might just point to the TLS RFCs and say "do that".

> For example, there's text in the draft about 'clients configured by their source IP address'. If such a client is creative with the CA list and SNI options, would they be able establish a TLS connection they otherwise wouldn't be able to?

  The TLS-PSK draft has substantial text about source IPs.  The goal is to allow IP filtering, and tying authorization / authentication to an IP or range of IPs.  Perhaps this document could incorporate the same text.


  There's also TLS trust expressions as an I-D:  https://datatracker.ietf.org/doc/draft-davidben-tls-trust-expr/

  I've discussed the RadSec / EAP certificate selection issue with the authors.  They believe that the draft will solve the problem, and make it easier for applications to choose a trust store and/or CAs.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email