[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Fixing RFC 7710

On Thu, Mar 1, 2018 at 10:58 PM, Martin Thomson
<[email protected]> wrote:
> We've had a number of discussions in the captive portals group about
> fixing RFC 7710.

As one of the original authors of RFC 7710, I fully support this!

> Erik and I would like to propose a plan for that work.  We would keep
> this to addressing the issues that we have identified thus far.
> Namely:
> 1. The purpose of the URI is not well defined.  We would reference the
> capport architecture and API documents for that.  The group would need
> to decide between:
>   a. point to the API
>   b. point to a login page
> 2. There isn't a clear way to signal that there is no captive portal
> in the network.  It has been suggested that we use a special URL -
> e.g., urn:ietf:params:capport:unrestricted. Alternatively, we could
> privilege the empty string, but that doesn't have as clear a signal of
> intent.

Oooh, I like the special URL idea -- initially the thought was a combination of:

1: Until this is ubiquitously deployed (ha!), devices will need to do
CP heuristics, and so will discover the lack of CP through that.
2: If there is no CP, no-one is likely to include the option.
3: Since the vast majority of networks don't use CPs, is this an undue
burden on them?

> 3. RFC 7710 states that the URL SHOULD use an address literal.  This
> works at odds with the idea of using HTTPS.

Yeah, there was a significant amount of discussion on this at the time
of the original document -- I can probably dredge it up if needed, but
IIRC, it focused around the fact that 1: many clients behind a CP
would not have enough working connectivity to be able to do the DNS
stuff required to be able to validate the cert, and 2: a lack of
clarity on what exactly would be authenticated.

I'm at Washington Dulles airport, connect to the IAD_Free_WiFi SSID
and get a URL of https://www.your-preferred-internet-provider.com

1: The cert is likely to filled with such guff as:
 CPS: https://www.digicert.com/CPS
 OCSP - URI:http://status.rapidssl.com
 CA Issuers - URI:http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt

Many clients have static / corporate DNS servers configured -- does
the CP operator simply allow any port 53 traffic so that the user can
resolve these? If so (fairly obviously), people who want to bypass the
CP will simply DNS tunnel all traffic.
Also, does the CP operator know which IPs cdp.rapidssl.com and
status.rapidssl.com will live behind on e.g Thursday? Or do they need
to constantly resolve URLs in the cert and dynamically allow access to
OSCP / CRL servers? Or does the CP also need to OSCP stale?

2: How does the client know that your-preferred-internet-provider.com
is the identity which *should* be providing Internets? Having the
client accept that /might/ give the impression that there is some
*reason* to believe this, and was viewed as a usability concern --
training users / developers to make a leap of trust that "you should
trust this identity is the right one" was viewed as a dangerous

Somehow this turned into "Just ship and then
that, um, someone else's problem"  -- before everyone jumps down my
throat, I'm not arguing for or against the positions, rather trying to
provide some background on how we ended up here. :-P

> Is there anyone who is willing to take on this work?  We aim to start
> and complete this work in <1 meeting cycle, starting in London.

I don't have the time to be the only / primary author, but I'd be more
than happy to help co-author (if that would be useful), contribute,
review, fold, spindle or mutilate -- whatever would be helpful.

> For the authors of RFC 7710, let us know if you have any concerns.

Speaking for myself: Good -- I'd like it if this became more useful -
my only concern would be the work *not* being done (I'm obviously
perfect in every way, including having the modesty to know my work
could be improved upon :-P )


I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.