On Nov 12, 2019, at 2:53 AM, Jan-Frederik Rieckers <rieck...@uni-bremen.de> wrote: > > Signed PGP part > On 12.11.19 00:15, Owen Friel (ofriel) wrote: >> One deployment consideration is if an operator wants to use a public PKI >> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever, >> before these extensions could be supported (as Alan alludes to), so it would >> also be good to define how this could work with standard RFC 6125 DNS-IDs / >> RFC 5280 dNSNames. > > I had a lot of thoughts about this topic. > I am experimenting with certificates in EAP-TLS contexts and experienced > the problems with getting a certificate with specific extension > properties from our public PKI. (In my case a test certificate with a > critical MustStaple extension) > > The Problem with dNSNames is that they are also used in other contexts > (mainly HTTPS).
They're also domain names, not realms. A particular certificate may be valid for authenticating uses to the realm "example.org". That same certificate may not be valid for the main web site for "example.org". This means that domain names are a hint, but not authoritative. Only the NAIRealm field would be authoritative. i.e. "this certificate really is for users authenticating to a realm". > There would be the possibility to define a specific > prefix to bind it to a Realm without having the certificate being valid > for the HTTPS host (e.g. eap-tls.uni-bremen.de for the realm > uni-bremen.de) but I don't see the advantage in that. > This will probably don't really lead to a change in the supplicants > implementations. A common short-hand is for certificates to use the "radius" subdomain. e.g. "radius.example.org". While not perfect, it's something. > My deployment experience shows, that the certificate check is the main > security problem in WPA2-Enterprise networks. I have seen instructions > for installing WPA2-Enterprise networks where they have explicitly > suggested switching off the certificate check, probably because it was > too complicated for the users and would lead to people complaining at > the IT department about the complicated setup. Exactly. > A setup of WPA2-Enterprise can be secure if all devices are part of a > centralized Device Management, but especially in eduroam this isn't > possible. We have a lot of people who don't really care about security. What's worse is that there's no cross-platform way to set up 802.1X. It would be nice if a user could visit an HTTPS secured web site for example.com, and then download a supplicant configuration. Stefan Winter has a draft: https://tools.ietf.org/html/draft-winter-opsec-netconfig-metadata-00 But it received little support from vendors. Security should be simple, and it should be the default. Users don't care about security because it's hard, and because it too often prevents them from getting things done. If security is useful, they will use it. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
