ietf
[Top] [All Lists]

Re: Admission Control to the IETF 78 and IETF 79 Networks

2010-07-12 10:21:32
Of course the MAC address is trivially forged. That is the function of
the certificate.

MAC address XXXXX is not very interesting
MAC address that party purporting to be CISCO says is XXXXX is quite a
bit more interesting
MAC address that party validated as CISCO as XXXXX is more interesting still.

Now this is not getting us to a point where nobody can possibly break
the system. But we have got to a point where the expected losses are a
couple orders of magnitude lower than we can expect through current
approaches.


On the issues involved using client certificates for wireless access,
I agree that the current practice falls far short of what is
acceptable. That is the reason why I think it would be helpful for the
IETF to spend some time eating the dog food (even if a different
brand, we can do better).

Now in theory, this is a problem that PKI should make easier to solve.
But instead it seems that it gives people too much scope to create
incompatible variations.


The simplest, cleanest solution to this problem is to either have a
device cert installed during manufacture or to employ my alternative
scheme designed for low performance devices that does not require them
to perform public key cryptography on the end point device (patent
pending, all rights reserved).


I do not see the value of client certificates for this type of network
access. They work in the enterprise context as the selection of the
certificate is unambiguous. But here we have a situation where we are
not really looking to become part of the IETF network specifically, we
just want a uniform identifier.

I would prefer to use client certs for VPN layer security and a device
cert for WiFi authentication. The user is not a device, conflating the
two is bad.

By a device cert, I mean an authentication credential that permits
authentication of the device without disclosure of the authentication
secret, is linked to a globally unique identifier and never expires.

The simplest solution for this in my view would be for everyone to
independently generate a self-signed cert and use the fingerprint to
mediate access. They can then in theory use the same cert in any
similar environment.


One (yucky) way we could do this is to each enter the fingerprint of
the cert(s) for each device when we register.

A much better way to achieve the same effect would be to configure the
network so that any computer that presents any certificate can access
the network registration page (just like in a hotel network) but
leaving that area is only possible after the user has authenticated
and the fingerprint of the cert is entered into the auth database.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>