[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-pkix-wlan-extns-04.txt

To: hardie@qualcomm.com, iesg@ietf.org
Subject: Re: Evaluation: draft-ietf-pkix-wlan-extns-04.txt
From: Russ Housley <housley@vigilsec.com>
Date: Tue, 19 Aug 2003 10:26:23 -0400
Cc: timmoore@microsoft.com
In-reply-to: <p06001a01bb544811f5d9@[10.30.7.162]>
References: <E19ifK6-00011N-Lw@asgard.ietf.org><E19ifK6-00011N-Lw@asgard.ietf.org>

Ted:

The Security Considerations section does address this concern. It says:

SSID values are unmanaged; therefore SSIDs may not be unique. Hence,
multiple client certificates may contain the same SSID. In this
case, automatic selection of the certificate SHOULD fail, and the
implementation will require help from the user to choose the correct
certificate. If the implementation chooses to automatically select
the client certificate and choose the incorrect one, then information
such as the list of SSIDs may be disclosed.

If your concern is implementations that do not have human operators, then sequentially trying the certificates may be necessary.

Whether the implementation has a human user associated with it or not, the sequential attempt with each certificate only needs to be done once if a cache of AP MAC addresses with which the certificate has successfully authenticated. I think this is a good addition to the document. I propose the following text:

The Wireless LAN (WLAN) System Service identifiers (SSIDs) public key
certificate extension is always non-critical. It contains a list of
SSIDs. When more than one certificate includes an extended key usage
extension indicating that the certified public key is appropriate for
use with the EAP in the LAN environment, the list of SSIDs MAY be
used to select the correct certificate for authentication in a
particular WLAN.

Since SSID values are unmanaged, the same SSID can appear in
different certificates that are intended to be used with different
WLANs. When this occurs, automatic selection of the certificate
SHOULD fail, and the implementation will require help from the user
to choose the correct certificate. However, by maintaining a cache
of Access Point (AP) MAC addresses with which the certificate has
successfully authenticated, user involvement can be minimized.

I have CCed my coauthor to give him an opportunity to review my proposed text as well.

Russ

At 10:34 AM 8/4/2003 -0700, hardie@qualcomm.com wrote:

Ted Hardie           [   ]     [   ]     [ x  ]     [   ]

Since there is no guarantee of uniqueness for  SSIDs,
it seems like there may be a separate step needed
when you have the "every SSID is called CORP" problem.
This text, in particular:

   The Wireless LAN (WLAN) System Service identifiers (SSIDs) public key
   certificate extension is always non-critical.  It contains a list of
   SSIDs.  When more than one certificate includes an extended key usage
   extension indicating that the certified public key is appropriate for
   use with the EAP in the LAN environment, the list of SSIDs MAY be
   used to select the correct certificate for authentication in a
   particular WLAN.

may need to contain text on what to do if more than one certificate
contains the same octet string as an SSID.  Given that the whole
thing is a "MAY" the answer may well be "try them in turn" or
something very basic, but a note of the problem and what to do
would be useful.
                        thanks,
                                Ted

Follow-Ups:
- Re: Evaluation: draft-ietf-pkix-wlan-extns-04.txt
  - From: hardie@qualcomm.com

References:
- Evaluation: draft-ietf-ipsec-ciph-aes-ctr - Using AES Counter Mode With IPsec ESP
  - From: IESG Secretary <iesg-secretary@ietf.org>
- Re: Evaluation: draft-ietf-pkix-wlan-extns-04.txt
  - From: hardie@qualcomm.com

Prev by Date: Re: apnic first day is a joke
Next by Date: Internal WG Review: Recharter of ADSL MIB (adslmib)
Previous by thread: Re: Evaluation: draft-ietf-pkix-wlan-extns-04.txt
Next by thread: Re: Evaluation: draft-ietf-pkix-wlan-extns-04.txt
Index(es):
- Date
- Thread