Owen Friel (ofriel) <ofr...@cisco.com> wrote:
> “Background:
> a) the current practice in TLS-based EAP methods is to use certificates
with
> "id-kp-serverAuth" OID set for Extended Key Usage.
> b) many supplicants check for this OID, and refuse to perform
authentication
> if it is missing
> c) supplicants do not check DNS names or any other field in the
certificates
> d) as a result of this lack of verification, supplicants ship with all
known
> CAs disabled for TLS-based EAP methods”
> The key consideration is that RFCs that recommend cert fields for EAP
servers
> that clients should check for are not currently issued by public CAs, and
in
> some instances (e.g. SSID) ownership can often not be proven by CAs.
> For example:
> https://tools.ietf.org/html/rfc4334#section-2 id-kp-eapOverLAN EKU
> https://tools.ietf.org/html/rfc4334#section-3 id-pe-wlanSSID
> https://tools.ietf.org/html/rfc7585#section-2.2 NAIRealm
> If an EAP server operator wants to use a public CA identity cert on their
EAP
> server, what recommendations should we give to EAP clients so that the
> supplicant code can handle public or private CA issued EAP server
identity in
> a secure a fashion as possible?
> If at some point in the future, public CAs are willing to issue certs with
> some or all of the above fields, then what is the migration plan, what do
we
> tell EAP clients to do now, and how to they migrate their verification
> logic?
I think that this is a really big if.
So, I want to change the question, which I think can make this problem a lot
easier to get traction on.
} If at some point in the future, there is one or more well-known trust
} anchors that (IoT?) devices can build in, and these CAs are willing to issue
} certs with some or all of the above fields, can we design a transition
} process from one-touch provisioned private CAs to a common DN+extension
} based common anchor?
> The ideal experience would be along these lines for a client with real
user
> interactions:
1> - client connects to an EAP server
2> - client prompts user for userId + realm and password
3> - client verifies server cert has id-kp-eapOverLAN set
4> - NAIRealm in cert matches user’s realm
5> - verify the cert signing chain
<2> and <3> seem in the wrong order.
If the certificate has NAIRealm, why would we need to ask the user for the
realm? Wouldn't we instead ask them: "What is your userID in REALM FOO"
> The reality today is that if the server cert is issued by a public CA,
then
> all that client can really check is:
1> - id-kp-serverAuth is set
2> - dNSName in cert matches user’s realm
3> - verify the cert signing chain
I think that <3> happens first, and the connection is dropped if it does not
validate. Maybe you aren't expressing an order here at all.
> It seems like logic should be something like:
> - recommend EAP operators with private CA issued certs on their EAP
servers
> set id-kp-eapOverLAN and NAIRealm set
> - recommend EAP operators using public CAs get EAP server certs with
> id-kp-serverAuth and dNSName set
> - recommend clients enable trust in public CAs
> - recommend clients implement different cert verification logic depending
on
> whether the EAP server cert is issued by a public CA or private CA
Would setting dNSNAME on private CA issued certs reduce complexity?
> - as a longer term goal see if public CAs will issue id-kp-eapOverLAN and
> NAIRealm. Although of course if some were to start doing this, then there
is
> a migration challenge, and clients cannot make a hard check for these
values
> against all public CAs. This doesn’t really seem practical in the near
term
> at all.
Trust NAIRealm extension only if id-kp-eapOverLAN is set.
having implemented the dNSNAME code path, it seems like there is no point in
implementing the other path.
> Note that for an IoT device, there is some work to do to define how to
e.g.
> extend the RFC8366 so that it can specify the dNSName that devices should
> check for when verifying EAP identity where they EAP server uses a public
CA.
> Some related options are outlined in
> https://tools.ietf.org/html/draft-friel-anima-brski-cloud-01.
Owen and I have wrangled about the topic of how exactly the pinning is done.
The above document does not really outline the problem space in my opinion,
focusing on other dimensions of the process.
The requirements that Owen has expressed to me are:
1) 8366bis must be able to pin CA + DN/SAN, such that the operator can rotate
their
public key without invalidating the voucher. (possibly including
changing public key algorithm)
2) 8366bis must be able to pin (?-public key), such that the operator can
switch (public) CAs without invalidating the voucher.
There might be a (3) that I can't think of right now.
But, if these two requirements seem to contradict each other, then high-five
to you, you were paying attention :-)
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
