Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN)
RFC 4334
Document | Type |
RFC - Proposed Standard
(February 2006; Errata)
Obsoletes RFC 3770
|
|
---|---|---|---|
Authors | Russ Housley , Tim Moore | ||
Last updated | 2020-01-21 | ||
Stream | Internet Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4334 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | wpolk@nist.gov |
Network Working Group R. Housley Request for Comments: 4334 Vigil Security Obsoletes: 3770 T. Moore Category: Standards Track Microsoft February 2006 Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document defines two Extensible Authentication Protocol (EAP) extended key usage values and a public key certificate extension to carry Wireless LAN (WLAN) System Service identifiers (SSIDs). This document obsoletes RFC 3770. Housley & Moore Standards Track [Page 1] RFC 4334 Supporting Authentication in PPP and WLAN February 2006 1. Introduction Several Extensible Authentication Protocol (EAP) [EAP] authentication methods employ X.509 public key certificates. For example, EAP-TLS [EAP-TLS] can be used with PPP [PPP] as well as IEEE 802.1X [802.1X]. PPP is used for dial-up and VPN environments. IEEE 802.1X defines port-based, network access control, and it is used to provide authenticated network access for Ethernet, Token Ring, Wireless LANs (WLANs) [802.11], and other IEEE 802 networks. Automated selection of client certificates for use with PPP and IEEE 802.1X is highly desirable. By using certificate extensions to identify the intended environment for a particular certificate, the need for user input is minimized. Further, the certificate extensions facilitate the separation of administrative functions associated with certificates used for different environments. IEEE 802.1X can be used for authentication with multiple networks. For example, the same wireless station might use IEEE 802.1X to authenticate to a corporate IEEE 802.11 WLAN and a public IEEE 802.11 "hotspot." Each of these IEEE 802.11 WLANs has a different network name, called Service Set Identifier (SSID). If the network operators have a roaming agreement, then cross-realm authentication allows the same certificate to be used on both networks. However, if the networks do not have a roaming agreement, then the IEEE 802.1X supplicant needs to select a certificate for the current network environment. Including a list of SSIDs in a certificate extension facilitates automated selection of an appropriate X.509 public key certificate without human user input. Alternatively, a companion attribute certificate could contain the list of SSIDs. This document defines extended key usage values and a WLAN-specific certificate extension for use in certificates issued to clients of PPP and WLANs. 1.1. Changes since RFC 3770 This document is primarily same as RFC 3770. Six significant changes are included: * This document now uses the same normative reference for ASN.1 as RFC 3280 [PROFILE]. The intent is to have the same dependencies. * The discussion of the critical bit in the certificate extension in section 2 is aligned with RFC 3280. Also, the discussion of the key usage certificate extension was expanded. Housley & Moore Standards Track [Page 2] RFC 4334 Supporting Authentication in PPP and WLAN February 2006 * RFC 3770 contained a typographical error in the object identifier for the Wireless LAN SSID Attribute Certificate Attribute. Section 4 corrects the typographical error. * Clarified that the SSID extension may appear in certificates that do not include the extended key usage extension. * Uses the terms "peer", "EAP Server", and "supplicant" as they are defined in [EAP] and [802.1X]. RFC 3770 used "client" and "server". * The object identifier for the extended key usage certificate extension is listed in RFC 3280, and it is no longer repeated in this document. 1.2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [STDWORDS]. 1.3. Abstract Syntax Notation All X.509 certificate [X.509] extensions are defined using ASN.1Show full document text