Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN)
RFC 3770

Document Type RFC - Proposed Standard (May 2004; Errata)
Obsoleted by RFC 4334
Authors Russ Housley  , Tim Moore 
Last updated 2020-01-21
Stream Internet Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3770 (Proposed Standard)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
Send notices to <wpolk@nist.gov>
Network Working Group                                         R. Housley
Request for Comments: 3770                                Vigil Security
Category: Standards Track                                       T. Moore
                                                                May 2004

           Certificate Extensions and Attributes Supporting
            Authentication in Point-to-Point Protocol (PPP)
                and Wireless Local Area Networks (WLAN)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.


   This document defines two EAP extended key usage values and a public
   key certificate extension to carry Wireless LAN (WLAN) System Service
   identifiers (SSIDs).

1.  Introduction

   Several Extensible Authentication Protocol (EAP) [EAP] authentication
   methods employ X.509 public key certificates.  For example, EAP-TLS
   [EAP-TLS] can be used with PPP [PPP] as well as IEEE 802.1X [802.1X].
   PPP is used for dial-up and VPN environments.  IEEE 802.1X defines
   port-based, network access control, and it is used to provide
   authenticated network access for Ethernet, Token Ring, and Wireless
   LANs (WLANs) [802.11].

   Automated selection of certificates for PPP and IEEE 802.1X clients
   is highly desirable.  By using certificate extensions to identify the
   intended environment for a particular certificate, the need for user
   input is minimized.  Further, the certificate extensions facilitate
   the separation of administrative functions associated with
   certificates used for different environments.

Housley & Moore             Standards Track                     [Page 1]
RFC 3770                      PPP and WLAN                      May 2004

   IEEE 802.1X can be used for authentication with multiple networks.
   For example, the same wireless station might use IEEE 802.1X to
   authenticate to a corporate IEEE 802.11 WLAN and a public IEEE 802.11
   "hotspot."  Each of these IEEE 802.11 WLANs has a different network
   name, called Service Set Identifier (SSID).  If the network operators
   have a roaming agreement, then cross realm authentication allows the
   same certificate to be used on both networks.  However, if the
   networks do not have a roaming agreement, then the IEEE 802.1X client
   needs to select a certificate for the current network environment.
   Including a list of SSIDs in a certificate extension facilitates
   automated selection of an appropriate X.509 public key certificate
   without human user input.  Alternatively, a companion attribute
   certificate could contain the list of SSIDs.

1.1.  Conventions Used In This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in BCP 14, RFC 2119

1.2.  Abstract Syntax Notation

   All X.509 certificate [X.509] extensions are defined using ASN.1
   [X.208, X.209].

2.  EAP Extended Key Usage Values

   RFC 3280 [PROFILE] specifies the extended key usage X.509 certificate
   extension.  The extension indicates one or more purposes for which
   the certified public key may be used.  The extended key usage
   extension can be used in conjunction with key usage extension, which
   indicates the intended purpose of the certified public key.  For
   example, the key usage extension might indicate that the certified
   public key ought to be used only for validating digital signatures.

   The extended key usage extension definition is repeated here for

      id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

      ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

      KeyPurposeId ::= OBJECT IDENTIFIER

   This specification defines two KeyPurposeId values: one for EAP over
   PPP, and one for EAP over LAN (EAPOL).  Inclusion of the EAP over PPP
   value indicates that the certified public key is appropriate for use

Housley & Moore             Standards Track                     [Page 2]
RFC 3770                      PPP and WLAN                      May 2004

   with EAP in the PPP environment, and the inclusion of the EAPOL value
   indicates that the certified public key is appropriate for use with
   the EAP in the LAN environment.  Inclusion of both values indicates
   that the certified public key is appropriate for use in either of the

      id-kp  OBJECT IDENTIFIER  ::=  { iso(1) identified-organization(3)
Show full document text