Hi to all, as an operator of a EAP-TLS server for eduroam at the University Bremen I just want to give some of my thoughts here, feel free to read or ignore them ;)
The eduroam environment is heavily used for BYOD, so we don't have any opportunity to change certificates via a Device Management. Our clients are researchers, employees, students, ... so we can't (and won't) control all devices logging in to our network. We have to use either a private CA (which brings its own problems) or we use a public trust anchor (e.g. T-Telesec with the DFN-Intermediate for most German universities). The deployment is done either manually by the users or with help of tools like eduroam CAT (cat.eduroam.org). I have done some research regarding the revocation of certificates in EAP-TLS and have come to the conclusion that, if a private key gets compromised, we have no possibility to effectively revoke the certificate in a way the clients would notice. This is the result of different problems: * Clients don't support OCSP Stapling The only client platform with default OCSP Stapling enabled in the Client Hello (that I'm aware of) is currently Apple devices. * Servers don't support OCSP Stapling FreeRADIUS 3.0 does not support OCSP Stapling (but FreeRADIUS 4.0 will have support for it) This is probably the software mostly used for eduroam. * Clients don't support the MustStaple Certificate extension I don't have enough knowledge about TLSv1.3 yet, but for <=TLSv1.2 OCSP won't add much security, since the OCSP Stapling is not mandatory. I will look into TLSv1.3 and MustStaple in near future, maybe someone can give me a hint if MustStaple is also active for TLSv1.3? All in all, I definitely think that making OCSP Stapling optional will have a benefit on small devices, but especially for the diverse environment of eduroam, making OCSP Stapling mandatory will increase the overall security of this federation. Maybe it might be a good idea to make OCSP Stapling mandatory for EAP-TLS Servers? Greetings Janfred
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu