Network Working Group R. Housley
Request for Comments: 3770 Vigil Security
Category: Standards Track T. Moore
Microsoft
May 2004
Certificate Extensions and Attributes Supporting
Authentication in Point-to-Point Protocol (PPP)
and Wireless Local Area Networks (WLAN)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document defines two EAP extended key usage values and a public
key certificate extension to carry Wireless LAN (WLAN) System Service
identifiers (SSIDs).
1. Introduction
Several Extensible Authentication Protocol (EAP) [EAP] authentication
methods employ X.509 public key certificates. For example, EAP-TLS
[EAP-TLS] can be used with PPP [PPP] as well as IEEE 802.1X [802.1X].
PPP is used for dial-up and VPN environments. IEEE 802.1X defines
port-based, network access control, and it is used to provide
authenticated network access for Ethernet, Token Ring, and Wireless
LANs (WLANs) [802.11].
Automated selection of certificates for PPP and IEEE 802.1X clients
is highly desirable. By using certificate extensions to identify the
intended environment for a particular certificate, the need for user
input is minimized. Further, the certificate extensions facilitate
the separation of administrative functions associated with
certificates used for different environments.
Housley & Moore Standards Track [Page 1]
RFC 3770 PPP and WLAN May 2004
IEEE 802.1X can be used for authentication with multiple networks.
For example, the same wireless station might use IEEE 802.1X to
authenticate to a corporate IEEE 802.11 WLAN and a public IEEE 802.11
"hotspot." Each of these IEEE 802.11 WLANs has a different network
name, called Service Set Identifier (SSID). If the network operators
have a roaming agreement, then cross realm authentication allows the
same certificate to be used on both networks. However, if the
networks do not have a roaming agreement, then the IEEE 802.1X client
needs to select a certificate for the current network environment.
Including a list of SSIDs in a certificate extension facilitates
automated selection of an appropriate X.509 public key certificate
without human user input. Alternatively, a companion attribute
certificate could contain the list of SSIDs.
1.1. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[STDWORDS].
1.2. Abstract Syntax Notation
All X.509 certificate [X.509] extensions are defined using ASN.1
[X.208, X.209].
2. EAP Extended Key Usage Values
RFC 3280 [PROFILE] specifies the extended key usage X.509 certificate
extension. The extension indicates one or more purposes for which
the certified public key may be used. The extended key usage
extension can be used in conjunction with key usage extension, which
indicates the intended purpose of the certified public key. For
example, the key usage extension might indicate that the certified
public key ought to be used only for validating digital signatures.
The extended key usage extension definition is repeated here for
convenience:
id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId ::= OBJECT IDENTIFIER
This specification defines two KeyPurposeId values: one for EAP over
PPP, and one for EAP over LAN (EAPOL). Inclusion of the EAP over PPP
value indicates that the certified public key is appropriate for use
Housley & Moore Standards Track [Page 2]
RFC 3770 PPP and WLAN May 2004
datatracker.ietf.org