Hi, At ACME meeting at IETF106, the last discussion of the week was around EMU looking for recommendations for EAP client/peer/supplicant cert verification logic when the client is verifying the cert that the EAP server presents. Minutes here: https://datatracker.ietf.org/doc/minutes-106-acme/ The recommendation was to ask lamps. This was also discussed on EMU mailer recently..
Quoting some additional background that Alan gave on EMU mailer: "Background: a) the current practice in TLS-based EAP methods is to use certificates with "id-kp-serverAuth" OID set for Extended Key Usage. b) many supplicants check for this OID, and refuse to perform authentication if it is missing c) supplicants do not check DNS names or any other field in the certificates d) as a result of this lack of verification, supplicants ship with all known CAs disabled for TLS-based EAP methods" The key consideration is that RFCs that recommend cert fields for EAP servers that clients should check for are not currently issued by public CAs, and in some instances (e.g. SSID) ownership can often not be proven by CAs. For example: https://tools.ietf.org/html/rfc4334#section-2 id-kp-eapOverLAN EKU https://tools.ietf.org/html/rfc4334#section-3 id-pe-wlanSSID https://tools.ietf.org/html/rfc7585#section-2.2 NAIRealm If an EAP server operator wants to use a public CA identity cert on their EAP server, what recommendations should we give to EAP clients so that the supplicant code can handle public or private CA issued EAP server identity in a secure a fashion as possible? If at some point in the future, public CAs are willing to issue certs with some or all of the above fields, then what is the migration plan, what do we tell EAP clients to do now, and how to they migrate their verification logic? The ideal experience would be along these lines for a client with real user interactions: - client connects to an EAP server - client prompts user for userId + realm and password - client verifies server cert has id-kp-eapOverLAN set - NAIRealm in cert matches user's realm - verify the cert signing chain The reality today is that if the server cert is issued by a public CA, then all that client can really check is: - id-kp-serverAuth is set - dNSName in cert matches user's realm - verify the cert signing chain We would like to document some recommendations for EAP clients and EAP operators so that public CAs could be used, and recommend checks for public vs. private CA issued EAP server certs. It seems like logic should be something like: - recommend EAP operators with private CA issued certs on their EAP servers set id-kp-eapOverLAN and NAIRealm set - recommend EAP operators using public CAs get EAP server certs with id-kp-serverAuth and dNSName set - recommend clients enable trust in public CAs - recommend clients implement different cert verification logic depending on whether the EAP server cert is issued by a public CA or private CA - for public CA certs, client checks that id-kp-serverAuth is set *and* dNSName matches user realm. If either check fails, reject. - for private CA certs, client checks that id-kp-serverAuth or id-kp-eapOverLAN is set *and* NAIRealm matches user realm. If either check fails, reject. - as a longer term goal see if public CAs will issue id-kp-eapOverLAN and NAIRealm. Although of course if some were to start doing this, then there is a migration challenge, and clients cannot make a hard check for these values against all public CAs. This doesn't really seem practical in the near term at all. Note that for an IoT device, there is some work to do to define how to e.g. extend the RFC8366 so that it can specify the dNSName that devices should check for when verifying EAP identity where they EAP server uses a public CA. Some related options are outlined in https://tools.ietf.org/html/draft-friel-anima-brski-cloud-01. Comments/thoughts? Regards, Owen
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu