Hi Ryan,
I understand the deprecation of subjectName in favor of SubjectAltName,
this makes sense to me now.
I'm still struggling a little with mapping subjectAltName and
subjectName certificate fields to peer and server identities. I think
the text you suggested for the server name subjectAltName mapping is
good:
[rmh] How about we change "A subjectAltName of type iPAdress MAY
be used
[rmh] in the server certificate." To "If a dnsName is not
available other
[rmh] field types (for example a subjectAltName of type iPAdress
or
[rmh] uniformResourceIdentifier) MAY be used.
I think we should have similar text for the peer name. There are cases
where either or both the EAP peer and EAP server may be devices that do
not have an RFC822 name or dnsName.
I am a bit concerned with the text for the subject DN. Why not use the
same field for both server and peer certificates? In my experience the
email address in a certificate subject DN is not always the best
identifier. Could CN be used instead of email address?
With regard to usage of OCSP, I understand the concern you raise.
However, the current practice of retrieving a CRL when attached to the
network and validating the accepted certificate seems to provide decent
protection. The OCSP in TLS approach is a better approach, but how much
better is it? A SHOULD is a fairly strong requirement and its use here
may affect how quickly this document can move through the standards
track. I want to make sure we are getting significant benefit from this
added requirement.
Joe
________________________________
From: Ryan Hurst [mailto:[EMAIL PROTECTED]
Sent: Monday, February 05, 2007 1:04 PM
To: [email protected]
Subject: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt
Joe - For some reason I didn't get your email, I found it on the
archives; bellow are the questions from that mail and my answers:
Where the subjectAltName field is present in the peer or
Server certificate, the Peer-Id or Server-Id MUST be set
to the contents of the subjectAltName as per Section
5.3.
[Joe] Why subjectAltName and not Subject?
[rmh] The use of the subject name was intended to
represent a directory location, directory locations may or
may not include the a value that would reasonable
map to the subject id (eg a E rdn).
its bad form to require people to change their
directory layout to deploy a application, therefore
standards that take a dependency on a specific
name form being present in a certificate should do so
by specifying that name form exist in the
subjectAltName.
If subject naming information is present in only in
the
subject name field then the Subject Field of the peer
certificate SHOULD contain a E RDN containing the
Peer-Id.
[Joe] What is E RDN?
[rmh] RDN is a relative distinguished name, DNs are made
up of these;
There is a RDN is for the email address, I don't
have the X.500
documents handy but its defined in there. I
remember the name being
just E; however I did some googling and looks like
I was wrong its
emailAddress.
Although the use of the subject field is existing
practice,
its use in EAP-TLS is deprecated and Certification
Authorities
are encouraged to use the subjectAltName field
instead.
[Joe] Are there other standards that are deprecating the
use of subject
field as well? (This is related to my first question
above.)
[rmh] uid is the only other RDN that a peer-id like
value that might be used in
[rmh] however in practice I have never seen this used;
see my other comment as
[rmh] to why. This is one of the reasons other rfcs like
TLS deprecate use of the
[rmh] subject dn for subjectAltName instead (see 3.1 of
http://www.ietf.org/rfc/rfc2818.txt)
Where the peer identity represents a host, a
subjectAltName
of type dNSName SHOULD be present in the peer
certificate. Where the
peer identity represents a user and not a resource, a
subjectAltName of type
rfc822Name SHOULD be used, conforming to the grammar for
the
Network Access Identifier (NAI) defined in [RFC4282]
Section 2.1.
If the peer identity represents neither a host nor a
user,
another field type (for example a subjectAltName of type
iPAddress
or uniformResourceIdentifier) MAY be used.
[Joe] There may be hosts which do not have a DNSName or
Ipaddress (L2
entities), so I think we need to clarify the above
text.
[rmh] This text does not preclude the inclusion of other
name forms
[rmh] it even allows for it by saying other types can be
included.
[rmh] It is important to encourage a name form be
included for interop sake
[rmh] dnsName and rfc822 is clearly the most common in
existing deployments
[rmh] so including it seems appropriate.
[rmh] There should be some text in the security
consideration section
[rmh] about the MITM risks associated with making a
trust decision
[rmh] on unauthenticated values you have at L2.
A server identity will typically represent a host, not a
user
Or a resource. As a result, a subjectAltName of type
dNSName
SHOULD be present in the server certificate. A
subjectAltName of
Type iPAdress MAY be used in the server certificate.
[Joe] We probably need to allow various name types for
the server as
well. I think there still needs to be some discussion
on how
subjectAltNames map to peer and server names in the case
where there are
multiple subjectAltNames.
[rmh] How about we change "A subjectAltName of type
iPAdress MAY be used
[rmh] in the server certificate." To "If a dnsName is
not available other
[rmh] field types (for example a subjectAltName of type
iPAdress or
[rmh] uniformResourceIdentifier) MAY be used.
5.4. Certificate revocation
Certificates are long lived assertions of identity.
Therefore it is important for EAP-TLS implementations
to
be capable of checking whether these assertions have
been
revoked.
EAP-TLS peer and server implementations MUST support
the
use of Certificate Revocation Lists (CRLs); for
details,
see [RFC3280] section 3.3. EAP-TLS peer and server
implementations SHOULD also support the Online
Certificate Status Protocol (OCSP), described in
[RFC2560].
OCSP messages are typically much smaller than CRLs
which can
shorten connection times especially in bandwidth
constrained
environments.
While EAP-TLS servers are typically connected to the
Internet
during the EAP conversation, an EAP-TLS peer may not
have
Internet connectivity until authentication completes.
[Joe] This is somewhat different than what the current
draft has
specified up until now. I am a little uneasy with OCSP
as a SHOULD,
are there other specifications which have such a strong
recommendation
for OCSP?
[rmh] I know of no other RFC that uses SHOULD for OCSP,
however I know of
[rmh] no other protocol in which its primary use case
prevents a client from
[rmh] checking the revocation status of the server. The
use of OCSP and TLS
[rmh] extensions enables this client to do this check.
[rmh] The SHOULD is a response to this security risk,
weaker wording would be
[rmh] the same as saying MAY choose to be vulnerable to
these attacks, SHOULD
[rmh] allows vendors to choose not to do so while
encouraging them to address
[rmh] these risks.
[rmh] There are also the latency and timing issues
associated with network connections
[rmh] make the download of 800k CRLs before a connect
can happen is a deal breaker,
[rmh] a few K (as little as 400 bytes) for a OCSP
response is a much better deal.
[rmh] I feel strongly the RFC needs to provide guidance
on how to use certificates
[rmh] securely and in a deployable way.
[rmh] I appreciate that not all implementations do this
but that is why its
[rmh] not a MUST.
For this reason EAP-TLS peers and servers SHOULD
implement
Certificate Status Request messages, as described in
[RFC3546]
section 3.6. To enable revocation checking in
situations
where servers do not support Certificate
Status Request messages and network connectivity is not
available prior to authentication completion, peer
implementations SHOULD also support checking for
certificate
revocation after authentication completes and network
connectivity
is available, and SHOULD utilize this capability.
[Joe] A strong recommendation for TLS extensions is
somewhat counter to
some of the discussions we have had in the past about
keeping EAP-TLS as
bare bones as possible. I would like to hear other's
opinion on this.
[rmh] See my earlier comment on the security risks
associated with the use
[rmh] scenarios for this protocol, its dependency on
certificates at layer 2,
[rmh] and the clients inability to perform revocation
checking.
[rmh] The use of OCSP and the TLS extension addresses
this risk.
_______________________________________________
Emu mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/emu
