On Jun 28, 2021, at 2:20 PM, Tim Cappalli <[email protected]> wrote: > The industry is moving away from any hardware identifier being sent off > device. I don’t think the physical MAC should ever be used as a device > identifier, even for channel binding.
It's globally unique, which is a pretty useful identifier. > If a strong hardware-bound identifier is required, the organization should > use the TPM/SE for private key generation during provisioning/onboarding. From my reading of TCG / TPM / etc. stuff, the private key describes a *particular* device. Not a *known* device. i.e. the key is tied to a device, so it's a unique token. But it's not an *identifying* token, in that the administrator can tell which device is being provisioned. There still needs to be a way for the administrator to know which device is being used. Identifying a particular device is done via physical examination in a secure network, or via some unique hardware identifier. I might be missing something from the whole TPM infrastructure, tho. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
