Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN)
RFC 4334

Document Type RFC - Proposed Standard (February 2006; Errata)
Obsoletes RFC 3770
Authors Russ Housley  , Tim Moore 
Last updated 2020-01-21
Stream Internet Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4334 (Proposed Standard)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Sam Hartman
Send notices to wpolk@nist.gov
Network Working Group                                         R. Housley
Request for Comments: 4334                                Vigil Security
Obsoletes: 3770                                                 T. Moore
Category: Standards Track                                      Microsoft
                                                           February 2006

            Certificate Extensions and Attributes Supporting
            Authentication in Point-to-Point Protocol (PPP)
                and Wireless Local Area Networks (WLAN)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).


   This document defines two Extensible Authentication Protocol (EAP)
   extended key usage values and a public key certificate extension to
   carry Wireless LAN (WLAN) System Service identifiers (SSIDs).  This
   document obsoletes RFC 3770.

Housley & Moore             Standards Track                     [Page 1]
RFC 4334       Supporting Authentication in PPP and WLAN   February 2006

1. Introduction

   Several Extensible Authentication Protocol (EAP) [EAP] authentication
   methods employ X.509 public key certificates.  For example, EAP-TLS
   [EAP-TLS] can be used with PPP [PPP] as well as IEEE 802.1X [802.1X].
   PPP is used for dial-up and VPN environments.  IEEE 802.1X defines
   port-based, network access control, and it is used to provide
   authenticated network access for Ethernet, Token Ring, Wireless LANs
   (WLANs) [802.11], and other IEEE 802 networks.

   Automated selection of client certificates for use with PPP and IEEE
   802.1X is highly desirable.  By using certificate extensions to
   identify the intended environment for a particular certificate, the
   need for user input is minimized.  Further, the certificate
   extensions facilitate the separation of administrative functions
   associated with certificates used for different environments.

   IEEE 802.1X can be used for authentication with multiple networks.
   For example, the same wireless station might use IEEE 802.1X to
   authenticate to a corporate IEEE 802.11 WLAN and a public IEEE 802.11
   "hotspot."  Each of these IEEE 802.11 WLANs has a different network
   name, called Service Set Identifier (SSID).  If the network operators
   have a roaming agreement, then cross-realm authentication allows the
   same certificate to be used on both networks.  However, if the
   networks do not have a roaming agreement, then the IEEE 802.1X
   supplicant needs to select a certificate for the current network
   environment.  Including a list of SSIDs in a certificate extension
   facilitates automated selection of an appropriate X.509 public key
   certificate without human user input.  Alternatively, a companion
   attribute certificate could contain the list of SSIDs.

   This document defines extended key usage values and a WLAN-specific
   certificate extension for use in certificates issued to clients of
   PPP and WLANs.

1.1. Changes since RFC 3770

   This document is primarily same as RFC 3770.  Six significant changes
   are included:

      * This document now uses the same normative reference for ASN.1
        as RFC 3280 [PROFILE].  The intent is to have the same

      * The discussion of the critical bit in the certificate extension
        in section 2 is aligned with RFC 3280.  Also, the discussion of
        the key usage certificate extension was expanded.

Housley & Moore             Standards Track                     [Page 2]
RFC 4334       Supporting Authentication in PPP and WLAN   February 2006

      * RFC 3770 contained a typographical error in the object
        identifier for the Wireless LAN SSID Attribute Certificate
        Attribute.  Section 4 corrects the typographical error.

      * Clarified that the SSID extension may appear in certificates
        that do not include the extended key usage extension.

      * Uses the terms "peer", "EAP Server", and "supplicant" as they
        are defined in [EAP] and [802.1X].  RFC 3770 used "client"
        and "server".

      * The object identifier for the extended key usage certificate
        extension is listed in RFC 3280, and it is no longer
        repeated in this document.

1.2. Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [STDWORDS].

1.3. Abstract Syntax Notation

   All X.509 certificate [X.509] extensions are defined using ASN.1
Show full document text