| < draft-ietf-emu-eaptlscert-01.txt | draft-ietf-emu-eaptlscert-02.txt > | |||
|---|---|---|---|---|
| Network Working Group M. Sethi | Network Working Group M. Sethi | |||
| Internet-Draft J. Mattsson | Internet-Draft J. Mattsson | |||
| Intended status: Informational Ericsson | Intended status: Informational Ericsson | |||
| Expires: September 6, 2020 S. Turner | Expires: September 17, 2020 S. Turner | |||
| sn3rd | sn3rd | |||
| March 5, 2020 | March 16, 2020 | |||
| Handling Large Certificates and Long Certificate Chains | Handling Large Certificates and Long Certificate Chains | |||
| in TLS-based EAP Methods | in TLS-based EAP Methods | |||
| draft-ietf-emu-eaptlscert-01 | draft-ietf-emu-eaptlscert-02 | |||
| Abstract | Abstract | |||
| EAP-TLS and other TLS-based EAP methods are widely deployed and used | EAP-TLS and other TLS-based EAP methods are widely deployed and used | |||
| for network access authentication. Large certificates and long | for network access authentication. Large certificates and long | |||
| certificate chains combined with authenticators that drop an EAP | certificate chains combined with authenticators that drop an EAP | |||
| session after only 40 - 50 round-trips is a major deployment problem. | session after only 40 - 50 round-trips is a major deployment problem. | |||
| This memo looks at the this problem in detail and describes the | This memo looks at the this problem in detail and describes the | |||
| potential solutions available. | potential solutions available. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 6, 2020. | This Internet-Draft will expire on September 17, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 38 ¶ | skipping to change at page 4, line 38 ¶ | |||
| o Long Public Key and Signature fields. | o Long Public Key and Signature fields. | |||
| o Can contain multiple object identifiers (OID) that indicate the | o Can contain multiple object identifiers (OID) that indicate the | |||
| permitted uses of the certificate as noted in Section 5.3 of | permitted uses of the certificate as noted in Section 5.3 of | |||
| [RFC5216]. Most implementations verify the presence of these OIDs | [RFC5216]. Most implementations verify the presence of these OIDs | |||
| for successful authentication. | for successful authentication. | |||
| o Multiple user groups in the certificate. | o Multiple user groups in the certificate. | |||
| The certificate chain can typically include 2 - 6 certificates to the | A certificate chain (called a certification path in [RFC5280]) can | |||
| root-of-trust. | have 2 - 6 intermediate certificates between the end-entity | |||
| certificate and the trust anchor [RFC5280]. | ||||
| Most common access point implementations drop EAP sessions that do | Most common access point implementations drop EAP sessions that do | |||
| not complete within 50 round-trips. This means that if the chain is | not complete within 50 round-trips. This means that if the chain is | |||
| larger than ~ 60 kB, EAP-TLS authentication cannot complete | larger than ~ 60 kB, EAP-TLS authentication cannot complete | |||
| successfully in most deployments. | successfully in most deployments. | |||
| 4. Handling of Large Certificates and Long Certificate Chains | 4. Handling of Large Certificates and Long Certificate Chains | |||
| This section discusses some possible alternatives for overcoming the | This section discusses some possible alternatives for overcoming the | |||
| challenge of large certificates and long certificate chains in EAP- | challenge of large certificates and long certificate chains in EAP- | |||
| skipping to change at page 9, line 29 ¶ | skipping to change at page 9, line 29 ¶ | |||
| MUST output the same data that was provided as input by. After | MUST output the same data that was provided as input by. After | |||
| decompression, the Certificate message MUST be processed as if it | decompression, the Certificate message MUST be processed as if it | |||
| were encoded without being compressed. Additional security | were encoded without being compressed. Additional security | |||
| considerations when compressing certificates are specified in | considerations when compressing certificates are specified in | |||
| [I-D.ietf-tls-certificate-compression] | [I-D.ietf-tls-certificate-compression] | |||
| As noted in [I-D.thomson-tls-sic], suppressing intermediate | As noted in [I-D.thomson-tls-sic], suppressing intermediate | |||
| certificates creates an unencrypted signal that might be used to | certificates creates an unencrypted signal that might be used to | |||
| identify which clients believe that they have all intermediates. | identify which clients believe that they have all intermediates. | |||
| This might also allow more effective fingerprinting and tracking of | This might also allow more effective fingerprinting and tracking of | |||
| client. | clients. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-emu-eap-tls13] | [I-D.ietf-emu-eap-tls13] | |||
| Mattsson, J. and M. Sethi, "Using EAP-TLS with TLS 1.3", | Mattsson, J. and M. Sethi, "Using EAP-TLS with TLS 1.3", | |||
| draft-ietf-emu-eap-tls13-08 (work in progress), December | draft-ietf-emu-eap-tls13-08 (work in progress), December | |||
| 2019. | 2019. | |||
| End of changes. 6 change blocks. | ||||
| 7 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||