Network Working Group R. Housley
Request for Comments: 4334 Vigil Security
Obsoletes: 3770 T. Moore
Category: Standards Track Microsoft
Certificate Extensions and Attributes Supporting
Authentication in Point-to-Point Protocol (PPP)
and Wireless Local Area Networks (WLAN)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2006).
This document defines two Extensible Authentication Protocol (EAP)
extended key usage values and a public key certificate extension to
carry Wireless LAN (WLAN) System Service identifiers (SSIDs). This
document obsoletes RFC 3770.
Housley & Moore Standards Track [Page 1]RFC 4334 Supporting Authentication in PPP and WLAN February 20061. Introduction
Several Extensible Authentication Protocol (EAP) [EAP] authentication
methods employ X.509 public key certificates. For example, EAP-TLS
[EAP-TLS] can be used with PPP [PPP] as well as IEEE 802.1X [802.1X].
PPP is used for dial-up and VPN environments. IEEE 802.1X defines
port-based, network access control, and it is used to provide
authenticated network access for Ethernet, Token Ring, Wireless LANs
(WLANs) [802.11], and other IEEE 802 networks.
Automated selection of client certificates for use with PPP and IEEE
802.1X is highly desirable. By using certificate extensions to
identify the intended environment for a particular certificate, the
need for user input is minimized. Further, the certificate
extensions facilitate the separation of administrative functions
associated with certificates used for different environments.
IEEE 802.1X can be used for authentication with multiple networks.
For example, the same wireless station might use IEEE 802.1X to
authenticate to a corporate IEEE 802.11 WLAN and a public IEEE 802.11
"hotspot." Each of these IEEE 802.11 WLANs has a different network
name, called Service Set Identifier (SSID). If the network operators
have a roaming agreement, then cross-realm authentication allows the
same certificate to be used on both networks. However, if the
networks do not have a roaming agreement, then the IEEE 802.1X
supplicant needs to select a certificate for the current network
environment. Including a list of SSIDs in a certificate extension
facilitates automated selection of an appropriate X.509 public key
certificate without human user input. Alternatively, a companion
attribute certificate could contain the list of SSIDs.
This document defines extended key usage values and a WLAN-specific
certificate extension for use in certificates issued to clients of
PPP and WLANs.
1.1. Changes since RFC 3770
This document is primarily same as RFC 3770. Six significant changes
* This document now uses the same normative reference for ASN.1
as RFC 3280 [PROFILE]. The intent is to have the same
* The discussion of the critical bit in the certificate extension
in section 2 is aligned with RFC 3280. Also, the discussion of
the key usage certificate extension was expanded.
Housley & Moore Standards Track [Page 2]RFC 4334 Supporting Authentication in PPP and WLAN February 2006
* RFC 3770 contained a typographical error in the object
identifier for the Wireless LAN SSID Attribute Certificate
Attribute. Section 4 corrects the typographical error.
* Clarified that the SSID extension may appear in certificates
that do not include the extended key usage extension.
* Uses the terms "peer", "EAP Server", and "supplicant" as they
are defined in [EAP] and [802.1X]. RFC 3770 used "client"
* The object identifier for the extended key usage certificate
extension is listed in RFC 3280, and it is no longer
repeated in this document.
1.2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",