summaryrefslogtreecommitdiffstats
path: root/raddb/certs/xpextensions
blob: ae87f42228fbe5cac3172aa4cdc17d988a627ba9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#
#  File containing the OIDs required for Windows
#  and iOS
#
#  http://support.microsoft.com/kb/814394/en-us
#
#  https://support.apple.com/en-us/HT210176
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
crlDistributionPoints = URI:http://www.example.com/example_ca.crl

[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
crlDistributionPoints = URI:http://www.example.com/example_ca.crl

# Enterprise Wi-Fi clients from 2020 onwards which have the
# Wi-Fi Certified WPA3 Release 2 (December 2019) certification 
# honour the following two policies for enhanced security 
# posture regarding certificate validation:
#
# https://www.wi-fi.org/discover-wi-fi/security
#
# Adding the 'Trust Override Disabled - STRICT' policy means that
# the client device is not allowed to request and accept ad-hoc 
# trust decisions from the user ("Is this the certificate you
# expect here?") and instead aborts authentication until the
# device has been properly configured using out-of-band means
# with all the details needed to verify the certificate (i.e.
# either the tuple (CA, server name) or the literal server cert).
#
# Adding the 'Trust Override Disabled - TOFU' policy means that
# the client device is allowed to ask the end user for such an
# override exactly once, when first connecting to an unknown
# network. Once the network is known and the trust decision made,
# any other certificate that is presented and would require
# another override is rejected and authentication aborted.
# 
# Both of these policies provide a protection against rogue
# authentication servers in that they make sure configurations
# on end user devices are sufficient to identify the genuine
# server.
#
# The difference is that the TOFU policy allows a leap of faith
# on first sight of a network ONCE - very much comparable to
# how SSH establishes trust in a new host. This adds convenience
# for end users who did not bother to configure their devices 
# beforehand, but adds an element of uncertainty in that the 
# attacker could be present on that first contact with the network.
#
# Network administrators who consider the TOFU leap of faith
# unacceptable should choose STRICT; everyone else gains security
# by choosing TOFU without giving up on convenience for their
# end users.
#
# For completeness, it is also possible to include none of the
# two to stay with the "anything goes" that was the situation
# prior to Wi-Fi Certified WPA3 Release December 2019.
#
# This is the 'Trust Override Disabled - STRICT' policy.
#certificatePolicies     = 1.3.6.1.4.1.40808.1.3.1
# This is the 'Trust Override Disabled - TOFU' policy.
certificatePolicies     = 1.3.6.1.4.1.40808.1.3.2

#
#  Add this to the PKCS#7 keybag attributes holding the client's private key
#  for machine authentication.
#
#  the presence of this OID tells Windows XP that the cert is intended
#  for use by the computer itself, and not by an end-user.
#
#  The other solution is to use Microsoft's web certificate server
#  to generate these certs.
#
# 1.3.6.1.4.1.311.17.2