From 50b37d4a27d3295a29afca2286f1a5a086142cec Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 11:49:46 +0200 Subject: Adding upstream version 3.2.1+dfsg. Signed-off-by: Daniel Baumann --- raddb/certs/xpextensions | 75 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 raddb/certs/xpextensions (limited to 'raddb/certs/xpextensions') diff --git a/raddb/certs/xpextensions b/raddb/certs/xpextensions new file mode 100644 index 0000000..ae87f42 --- /dev/null +++ b/raddb/certs/xpextensions @@ -0,0 +1,75 @@ +# +# File containing the OIDs required for Windows +# and iOS +# +# http://support.microsoft.com/kb/814394/en-us +# +# https://support.apple.com/en-us/HT210176 +# +[ xpclient_ext] +extendedKeyUsage = 1.3.6.1.5.5.7.3.2 +crlDistributionPoints = URI:http://www.example.com/example_ca.crl + +[ xpserver_ext] +extendedKeyUsage = 1.3.6.1.5.5.7.3.1 +crlDistributionPoints = URI:http://www.example.com/example_ca.crl + +# Enterprise Wi-Fi clients from 2020 onwards which have the +# Wi-Fi Certified WPA3 Release 2 (December 2019) certification +# honour the following two policies for enhanced security +# posture regarding certificate validation: +# +# https://www.wi-fi.org/discover-wi-fi/security +# +# Adding the 'Trust Override Disabled - STRICT' policy means that +# the client device is not allowed to request and accept ad-hoc +# trust decisions from the user ("Is this the certificate you +# expect here?") and instead aborts authentication until the +# device has been properly configured using out-of-band means +# with all the details needed to verify the certificate (i.e. +# either the tuple (CA, server name) or the literal server cert). +# +# Adding the 'Trust Override Disabled - TOFU' policy means that +# the client device is allowed to ask the end user for such an +# override exactly once, when first connecting to an unknown +# network. Once the network is known and the trust decision made, +# any other certificate that is presented and would require +# another override is rejected and authentication aborted. +# +# Both of these policies provide a protection against rogue +# authentication servers in that they make sure configurations +# on end user devices are sufficient to identify the genuine +# server. +# +# The difference is that the TOFU policy allows a leap of faith +# on first sight of a network ONCE - very much comparable to +# how SSH establishes trust in a new host. This adds convenience +# for end users who did not bother to configure their devices +# beforehand, but adds an element of uncertainty in that the +# attacker could be present on that first contact with the network. +# +# Network administrators who consider the TOFU leap of faith +# unacceptable should choose STRICT; everyone else gains security +# by choosing TOFU without giving up on convenience for their +# end users. +# +# For completeness, it is also possible to include none of the +# two to stay with the "anything goes" that was the situation +# prior to Wi-Fi Certified WPA3 Release December 2019. +# +# This is the 'Trust Override Disabled - STRICT' policy. +#certificatePolicies = 1.3.6.1.4.1.40808.1.3.1 +# This is the 'Trust Override Disabled - TOFU' policy. +certificatePolicies = 1.3.6.1.4.1.40808.1.3.2 + +# +# Add this to the PKCS#7 keybag attributes holding the client's private key +# for machine authentication. +# +# the presence of this OID tells Windows XP that the cert is intended +# for use by the computer itself, and not by an end-user. +# +# The other solution is to use Microsoft's web certificate server +# to generate these certs. +# +# 1.3.6.1.4.1.311.17.2 -- cgit v1.2.3