Actually for card readers, the offline verification nature of
certificates is probably a nice property. But client certs pose
all sorts of other problems like their scalability, ease of making
changes (roles, etc), and other kinds of considerations that make
you want to fetch more information online... which completely
negates the advantages of offline verification. Just the CRL
problem would probably sink you since when you fire an employee
you want access to be cut off immediately.
The other thing that would scare me in general with expecting offline verification is the *reason* it's being used is for offline might get forgotten and back comes the online dependencies while nobody is looking.
BTW: you don't need to reach the trust anchor, though you almost
certainly need to run OCSP or something like it if you have client
certs.
Mike
On Tue, Oct 5, 2021 at 8:57 AM Kain, Becki (.) <bkain1@ford.com> wrote:
Why ever would have a card reader on your external facing network, if that was really the case why they couldn't get in to fix it?
Let's hypothesize for a moment.
Let's suppose you've decided that certificate-basedauthentication is the cat's meow, and so you've gotdot1x authentication on every network port in yourcorporate environment, all your users are authenticatedvia certificates, all properly signed all the way up thechain to the root trust anchor.
Life is good.
But then you have a bad network day. Suddenly,you can't talk to upstream registries/registrars,you can't reach the trust anchor for your certificates,and you discover that all the laptops plugged intoyour network switches are failing to validate theirauthenticity; sure, you're on the network, but you'rein a guest vlan, with no access. Your user credentialsaren't able to be validated, so you're stuck with thebase level of access, which doesn't let you into theOOB network.
Turns out your card readers were all counting ondot1x authentication to get them into the right vlanas well, and with the network buggered up, theswitches can't validate *their* certificates either,so the door badge card readers just flash theirLEDs impotently when you wave your badge atthem.
Remember, one attribute of certificates is that they aredesignated as valid for a particular domain, or set ofsubdomains with a wildcard; that is, an authenticator needsto know where the certificate is being presented to know ifit is valid within that scope or not. You can do that scopevalidation through several different mechanisms,such as through a chain of trust to a certificate authority,or through DNSSEC with DANE--but fundamentally,all certificates have a scope within which they are valid,and a means to identify in which scope they are beingused. And wether your certificate chain of trust isbeing determined by certificate authorities or DANE,they all require that trust to be validated by somethingother than the client and server alone--which generallymakes them dependent on some level of externalnetwork connectivity being present in order to properlyfunction. [yes, yes, we can have a side discussion abouthaving every authentication server self-sign certificatesas its own CA, and thus eliminate external networkconnectivity dependencies--but that's an administrativenightmare that I don't think any large organization wouldsign up for.]
So, all of the client certificates and authorization serverswe're talking about exist on your internal network, but theyall counted on reachability to your infrastructureservers in order to properly authenticate and grantaccess to devices and people. If your BGP updatemade your infrastructure servers, such as DNS servers,become unreachable, then suddenly you might wellfind yourself locked out both physically and logicallyfrom your own network.
Again, this is purely hypothetical, but it's one scenarioin which a routing-level "oooooops" could end up causingphysical-entry denial, as well as logical network accesslevel denial, without actually having those authenticationsystems on external facing networks.
Certificate-based authentication is scalable and cool, butit's really important to think about even generally "that'llnever happen" failure scenarios when deploying it intocritical systems. It's always good to have the "break glassin case of emergency" network that doesn't rely on dot1x,that works without DNS, without NTP, without RADIUS,or any other external system, with a binder with printoutsof the IP addresses of all your really critical servers androuters in it which gets updated a few times a year, so thatwhen the SHTF, a person sitting at a laptop plugged intothat network with the binder next to them can get into theemergency-only local account on each router to fix things.
And yes, you want every command that local emergency-onlyuser types into a router to be logged, because someone
wanting to create mischief in your network is going to aimfor that account access if they can get it; so watch it like ahawk, and the only time it had better be accessed and usedis when the big red panic button has already been hit, andthe executives are huddled around speakerphones wantingto know just how fast you can get things working again. ^_^;
I know nothing of the incident in question. But sitting at home,hypothesizing about ways in which things could go wrong, thisis one of the reasons why I still configure static emergencyaccounts on network devices, even with centrally administeredaccount systems, and why there's always a set of "no dot1x"ports that work to get into the OOB/management network evenwhen everything else has gone toes-up. :)
So--that's one way in which an outage like this could havelocked people out of buildings. ^_^;
Thanks!
Matt[ready for the deluge of people pointing out I've overly simplified thevalidation chain for certificates in order to keep the post short andhigh-level. ^_^; ]