In 802.11AR what comprises an identity is up to the manufacturer. They
can put whatever they want in their as long as it is unique within their
namespace. Right now it is unclear where the device identity will go.
Currently, if the identity is placed in the subject name I don't think
it will use the email address RDN. It is fairly common practice to use
CN and there is some existence of serialNumber since, as you pointed
out, CN may contain different less unique information. I don't know of
any devices currently that place device identity in subjectAltName
fields.
Off hand there may be some privacy concerns with using MAC address
(although this would probably be true of any "permanent" identifier). I
don't think we want EAP-TLS to depend upon knowing about MAC addresses.
The security implications of MAC addresses will vary with deployment
scenarios. I think these are largely out of scope for EAP-TLS.
Joe
________________________________
From: Ryan Hurst [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 21, 2007 10:01 AM
To: Joseph Salowey (jsalowey); Bernard Aboba; [email protected]
Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt
I beleive that 802.11AR still allows for the device ID to be a
MAC address, atleast the last version I read did although they have gone
from that being the ID to the ID being one that could be a MAC address.
I think the issue is the same one you have been calling out, if
I have a device where should the device identity go.
And to that end, if that identity is a MAC address what are the
security concerns.
Ryan
________________________________
From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED]
Sent: Wed 2/21/2007 9:56 AM
To: Bernard Aboba; Ryan Hurst; [email protected]
Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt
> -----Original Message-----
> From: Bernard Aboba [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 21, 2007 9:52 AM
> To: Joseph Salowey (jsalowey); [EMAIL PROTECTED];
[email protected]
> Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt
>
> > [rmh] As for the value, EAP is not 802.11 only
> therefore a device id
> >should not be a MAC, also a MAC has locally administered and
> globally
> >adminstered versions, you would probably want to restrict the
use to
> >the globally issued ones, then there are the privacy issues
> since the
> >MAC is used as a source address a attacker can presume if a
EAP
> >authentication is successful the MAC used in the source
address was
> >authenticated. I think there are other issues related to it
> being a MAC
> >address that should be thought through before it is added;
> especially
> >if its not even common practice today which it doesnt apear
to be.
> >
> > [Joe] I think we are in agreement here.
>
> Use of the MAC address as an EAP-TLS identity is not yet
> common practice.
> Yet both IEEE 802.1AR and WiMAX documents talk about use of
> MAC addresses in certificates (using different formats), so
> it could be used more widely in the future.
>
[Joe] IEEE802.1AR is going down a different path then using MAC
address
in certificates. I don't know about WiMAX.
> I agree that using a locally administered MAC address as an
> identity in EAP-TLS does not make sense.
>
> Do we have proposed text to deal with this issue?
[Joe] What is the issue?
_______________________________________________
Emu mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/emu
