Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

Wed, 20 Nov 2019 02:24:38 -0800 


On 11/19/19 4:17 AM, Alan DeKok wrote:

On Nov 18, 2019, at 7:39 PM, Dan Harkins <dhark...@lounge.org> wrote:

[snip]

   Then what you can infer from a domain name in a certificate issued by such a 
CA
is that the holder of the corresponding private key controls that domain. 
Nothing
more, nothing less. But you can't infer anything from other attributes that 
have not
been validated (again, using a word you used yourself)

   Certificates contain serial numbers.  They haven't been validated by a CA.  
The lack of validation therefore means that you can't infer anything from that 
field?

   I would argue that you *can* make inferences from that field.



  What do you mean that certificate serial numbers haven't been 
validated by the CA? They
originate from the CA. They are, by definition, a valid statement from 
the CA.



   The same applies for telephone numbers.  Do CAs call the numbers?  Do they 
check that the person answering is the same person who made the request?  Maybe.

   You tell me if a CA "calls the numbers". If it doesn't then what can you 
infer
from a telephone number in a certificate it signs?

   This isn't difficult.  It means that the certificate owner has claimed he 
can be reached at that number.  And the CA has signed the statement, agreeing 
that it's a statement made by the certificate owner.


   These issues can't be answered with simple black & white statements.  If the 
data in a certificate is imperfect, it might still be useful.

   OK, convince me of its utility.

   See RFC 4334 and its discussion of SSIDs.




  Is this _my_ certificate that has this attribute in it or is it in a 
certificate I receive?
If it's my certificate then what is the point of putting it in my 
certificate? I am asking for
ambiguous data to be certified and placed in my certificate for my own 
use? If this attribute
is in a certificate I receive then what does it mean to "select the 
correct certificate for
authentication in a particular WLAN"?Fit this check into the network 
connection process:


  1. service discovery
  2. 802.11 authentication
  3. 802.11 association
  4. EAP-ID req/resp
  5. EAP authentication

Which numbered step is this attribute used in and how?


  This attribute seems useless to me and its ambiguity and therefore 
unverifiability is a

large reason why.

  Dan.








_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu





























					Reply via email to