[Freeipa-devel] user certificates

Nathaniel McCallum npmccallum at redhat.com
Wed Jun 11 17:14:00 UTC 2014 

On Wed, 2014-06-11 at 13:07 -0400, John Dennis wrote:
> On 06/11/2014 12:12 PM, Nathaniel McCallum wrote:
> > On Wed, 2014-06-11 at 08:55 -0400, John Dennis wrote:
> >> On 06/11/2014 04:02 AM, Fraser Tweedale wrote:
> >>> There are other use cases for user certificates, e.g. client
> >>> authentication for HTTP or other network services.  Perhaps you know
> >>> of others - in which case let us know.
> >>
> >> 802.11 wireless authentication using EAP-TLS
> >>
> >> A common discussion on the RADIUS mailing lists is the desire to deploy
> >> using EAP-TLS but the difficulty of provisioning user certs is always
> >> the stumbling block.
> > 
> > Why EAP-TLS over EAP-TTLS? Legacy support? You can use a combo of
> > mechanisms to support older OSes (mainly Windows).
> 
> Because EAP-TLS is what is used for mutual client/server authentication
> using PKI. EAP-TLS is supported on more legacy OS's (e.g. older
> Windows). Microsoft only started supporting EAP-TTLS in Windows 8.
> EAP-TLS is considered very secure and my (unconfirmed) understanding is

*cough*heartbleed*cough* ;)

> it's somewhat common with enterprise Windows deployments because
> Microsoft makes it easy to provision client certs.
> 
> EAP-TTLS is primarily to set up a tunnel for other (less secure) methods
> so that sensitive information is not in the clear. Note the leading T in
> TTLS refers to "tunnel". Client authentication is optional with
> EAP-TTLS. You could establish a TLS tunnel with EAP-TTLS and then run
> EAP-TLS inside the tunnel but the two TLS sessions make it much less
> efficient, the advantage is the username can be anonymous with
> EAP-TTLS/EAP-TLS if that's actually a concern. If you're not concerned
> about user anonymity (outer identity) then there is no value in
> establishing a tunnel to run other authentication protocols in, with
> EAP-TLS simply being able to complete the SSL handshake (with the
> required client cert) is sufficient to establish authentication.

Yes, this I understand. But in my experience, TTLS is being widely
deployed in combination with an inner client authentication precisely
because TLS was so hard to maintain. MS fought TTLS for a long time and
eventually gave in in Windows 8 precisely because so many people were
deploying TTLS with an inner authenticator.

I can't think of a single example of a TLS deployment that can't be
given a better user experience by migrating to TTLS (old Windows
excluded of course).

Nathaniel

More information about the Freeipa-devel mailing list