On Sun, Dec 15, 2019 at 4:01 PM Owen Friel (ofriel) <ofr...@cisco.com> wrote:
> Hi, > > > > At ACME meeting at IETF106, the last discussion of the week was around EMU > looking for recommendations for EAP client/peer/supplicant cert > verification logic when the client is verifying the cert that the EAP > server presents. Minutes here: > https://datatracker.ietf.org/doc/minutes-106-acme/ The recommendation > was to ask lamps. This was also discussed on EMU mailer recently. > > > > Quoting some additional background that Alan gave on EMU mailer: > > > > “Background: > > > > a) the current practice in TLS-based EAP methods is to use certificates > with "id-kp-serverAuth" OID set for Extended Key Usage. > > b) many supplicants check for this OID, and refuse to perform > authentication if it is missing > > c) supplicants do not check DNS names or any other field in the > certificates > > d) as a result of this lack of verification, supplicants ship with all > known CAs disabled for TLS-based EAP methods” > > > > The key consideration is that RFCs that recommend cert fields for EAP > servers that clients should check for are not currently issued by public > CAs, and in some instances (e.g. SSID) ownership can often not be proven by > CAs. > > > > For example: > > > > https://tools.ietf.org/html/rfc4334#section-2 id-kp-eapOverLAN EKU > > > > https://tools.ietf.org/html/rfc4334#section-3 id-pe-wlanSSID > > > > https://tools.ietf.org/html/rfc7585#section-2.2 NAIRealm > > > > If an EAP server operator wants to use a public CA identity cert on their > EAP server, what recommendations should we give to EAP clients so that the > supplicant code can handle public or private CA issued EAP server identity > in a secure a fashion as possible? > Define “public CA” first, and it’ll be clearer that the question is really supplicant-specific. That is, most definitions for “public CAs” come down to “I don’t want to think about / analyze the security or validation practices of the CA, I want my supplicant / software / hardware vendor to do it for me, against some criteria the vendor is responsible for, and hope it all works out”. To the extent TLS uses ‘public CAs’, it either boils down to the OS or browser vendors reaching rough (independent) consensus on who is worth trusting, or the vendor going along with everyone else’s decisions for cost (too expensive for the vendor to evaluate) or compatibility (everyone else trusts them and it’d break things if the vendor doesn’t) reasons. Is the supplicant market likely to reach that consensus? It seems unlikely, unless and until you define the “thing everyone can and wants and needs to validate”, and that thing is either globally unique (like DNS) or sufficiently domain specific (e.g. Passpoint) that vendors can agree. If at some point in the future, public CAs are willing to issue certs with > some or all of the above fields, then what is the migration plan, what do > we tell EAP clients to do now, and how to they migrate their verification > logic? > This statement similarly requires untangling. There are “public CAs” as “The set of keys/certificates used for authenticating particular services” and “public CAs” as the set of organizations that own/operate those keys. The case of the former is extremely unlikely, as the industry is actively moving away from that approach to PKI, by trying to ensure separate keys for separate use cases or authentication realms, of which EAP would surely be. The case of the latter is already available from said organizations as part of “managed CA” or “private CA” offerings, which are operated by that public CA organization, but that’s effectively greenfield because you aren’t having to interoperate with any extant keys or certificate profiles. The ideal experience would be along these lines for a client with real user > interactions: > > - client connects to an EAP server > > - client prompts user for userId + realm and password > > - client verifies server cert has id-kp-eapOverLAN set > What assurance is this to provide? - NAIRealm in cert matches user’s realm > This only works iff the NAIs are globally unique (e.g. map to DNS), which imposes requirements on NAIs that aren’t present in RFC 7542, and seemingly intentionally, compared to 4282. - verify the cert signing chain > > > > The reality today is that if the server cert is issued by a public CA, > then all that client can really check is: > > - id-kp-serverAuth is set > > - dNSName in cert matches user’s realm > > - verify the cert signing chain > > > > We would like to document some recommendations for EAP clients and EAP > operators so that public CAs could be used, and recommend checks for public > vs. private CA issued EAP server certs. > If you mean the same set of CAs and keys used for TLS by common operating systems and browsers, it bears highlighting again: industry is moving away from that. Which is to say that contracts and requirements for PKIs used “by default” by browsers and operating systems are being explicit about the need to segment purpose and use case and not use such certificates for such purposes. Already, TLS and e-mail, the two dominant uses of PKI in such systems, are required to be distinguished at their intermediate level. Browsers are looking to explicitly only trust the TLS-Web side of the PKI, and making sure that the TLS-Web PKI side is highly agile. Other cases, such as restricted use server to server PKI or industry bespoke cases (such as financial services or system networking) are being restricted to PKIs that aren’t federated-by-default. For example, X9 recently revived their PKI WG, to define PKI requirements appropriate for financial services customers (like ATM to bank), because financial services struggle to move at the same speed as modern software, for understandable reasons. The use of domain/purpose-specific PKIs is something we can and should be embracing more of. It seems like logic should be something like: > > > > - recommend EAP operators with private CA issued certs on their EAP > servers set id-kp-eapOverLAN and NAIRealm set > > - recommend EAP operators using public CAs get EAP server certs with > id-kp-serverAuth and dNSName set > - recommend clients enable trust in public CAs > This is why I started with trying to define what “public CAs” are. If you mean the extant CAs trusted by browsers and operating systems, both this recommendation and the one proceeding it may not be good recommendations or long-term viable practices. That’s not to say you couldn’t, but it means your EAP services and servers need to be prepared to be as agile as the Web ecosystem is and modern operating systems are converging on. The ability to support or be beholden to “legacy” - whether algorithms, profiles, or trust in particular organizations - is something that industry is recognizing does not align with user needs. This means adopting practices like automation, being able to quantify compatibility risks, and being able to move quickly as expectations change, in response to ecosystem challenges. Maybe that’s fine for EAP, but I’m willing to suspect that it because updates may involve physically replacing client hardware or physically installing firmware, you really don’t want EAP needing to be beholden to those agility needs of the Web and OSes. And, again, that’s perfectly OK, it just means defining a PKI and set of procedures that is appropriate for that use case, and convincing industry to adopt it as an “out of the box” configuration. Or, alternatively, embracing private PKI. - recommend clients implement different cert verification logic depending > on whether the EAP server cert is issued by a public CA or private CA > Why is this good? To the extent browsers or OSes make this distinction, it’s largely based on simply phasing rollouts of new requirements, with the goal to eventually require consistent and uniform treatment to ensure simpler code with consistent and uniform security properties. Having a long-term segmentation of requirements, or even encouraging them without a clear vision back to harmonization, is definitely an anti-pattern here. - for public CA certs, client checks that id-kp-serverAuth is set **and** > dNSName matches user realm. If either check fails, reject. > > - for private CA certs, client checks that id-kp-serverAuth or > id-kp-eapOverLAN is set **and** NAIRealm matches user realm.. If either > check fails, reject. > > > > - as a longer term goal see if public CAs will issue id-kp-eapOverLAN and > NAIRealm. Although of course if some were to start doing this, then there > is a migration challenge, and clients cannot make a hard check for these > values against all public CAs. This doesn’t really seem practical in the > near term at all. > The effect of the separate EKU, which is actually quite desirable, is that it functionally makes it difficult for CAs to issue these certificates from intermediated that lack this EKU or any EKU. Further, CAs subject to browser/OS vendor oversight are consistently required to segment out their EKUs at the intermediate level, and required to always specify EKUs. The end result is that, to achieve this long term goal, you’ve effectively required the establishment of a new PKI - just at the intermediate level rather than the root. And as many of the public CAs can tell you, having recently encountered challenges regarding non-TLS intermediates from roots that are subject to browser/OS oversight, it’s often easier to use separate roots as well. Again, I think that’s desirable, to define an entirely new PKI with zero overlap with the server auth/TLS PKI used by OSes/browsers, but that does change your recommendations and design a bit :) The short term recommendation becomes “don’t use public CAs”, and that seems easier to explain and easier to evolve the technical requirements, until the time that such a new, EAP-specific public PKI can be introduced. In my mind, this is no different from organizations that want TLS certificates for their servers named “webmail” (not globally unique) or “mail_01.company.example” (not preferred name form / LDH). The answer is “use private CAs, don’t use public CAs” > > Note that for an IoT device, there is some work to do to define how to > e.g. extend the RFC8366 so that it can specify the dNSName that devices > should check for when verifying EAP identity where they EAP server uses a > public CA. Some related options are outlined in > https://tools.ietf.org/html/draft-friel-anima-brski-cloud-01. > > > > Comments/thoughts? > > > > Regards, > > Owen > > > > > > > > > > > > > > > > > _______________________________________________ > Spasm mailing list > sp...@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
