On Nov 6, 2024, at 11:00 PM, heasley <h...@shrubbery.net> wrote: >> >> Perhaps add a note that TACACS+ TLS servers and clients SHOUD NOT use >> well-known CAs. i.e. CAs from the web PKI. Doing so would allow clients to >> connect to any server, and would allow anyone to issue client certs. > > I think that you mean something like, SHOULD NOT, unless the client also > authenticates the server, which it should. Correct?
Think of the threat model of the web versus TACACS+. In the web, the client needs to verify that it's talking to a known server, e.g. youtube. But the server doesn't identify the client. And the client doesn't really care what kind of data it exchanges with the server. This includes passwords. In TACACS+, the client should only talk to known servers. The server should only talk to known clients. And the client isn't sending it's own passwords to the server, it's sending other peoples passwords to the server. Allowing TACACS+ to use the web PKI would be a disaster. A client could accept any "authenticated" server, and then send admin passwords. So it is the server the correct one for your company? Or is the server one with a "known" server from a web CA? You won't know. Plus, it's essentially impossible to get client certificates from the web PKI. So the client can't authenticate itself. TBH I would suggest that TACACS+ clients and servers MUST NOT use well-known CAs. Instead, they should use private CAs. To put it another way, is there any use-case where TACACS+ has a client from domain A, and a server from domain B? Especially where the two systems don't know about each other (e.g. like the web) Or is it always that both client and server are from the same domain? >> Why does the CA have to be online? > > Unless the client (or server) has a complete cache of its peer's issuer > path, the certificate can not be verified following rfc5280 methods. It > is reasonable to expect that a network device might not have this, whether > the CA is well-known or private. If it can not be verified, and the client > (or server) strictly requires it, which it should, then the connection > should be abandoned. No? > > Therefore, if the operators wishes it to always work, this must be > considered. I still don't understand this. The CA doesn't have to be online. The client has to have a copy of the CAs public cert. Perhaps any OCSP system has to be online. But I don't think anything in RFC 5280 requires that the CA is online. Many TLS systems work very well without having the CA online. So what part of RFC 5280 requires that the CA is online? Alan DeKok. _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
