It has very little value as it can be easily changed on most platforms. Modern authorization is done using certificate properties as a lookup value. Correlation of an individual piece of hardware to a certificate property needs to be done during provisioning (which is the case in many deployments today).
tim From: Alan DeKok<mailto:[email protected]> Sent: Monday, June 28, 2021 4:00 PM To: Tim Cappalli<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03 On Jun 28, 2021, at 2:20 PM, Tim Cappalli <[email protected]> wrote: > The industry is moving away from any hardware identifier being sent off > device. I don’t think the physical MAC should ever be used as a device > identifier, even for channel binding. It's globally unique, which is a pretty useful identifier. > If a strong hardware-bound identifier is required, the organization should > use the TPM/SE for private key generation during provisioning/onboarding. From my reading of TCG / TPM / etc. stuff, the private key describes a *particular* device. Not a *known* device. i.e. the key is tied to a device, so it's a unique token. But it's not an *identifying* token, in that the administrator can tell which device is being provisioned. There still needs to be a way for the administrator to know which device is being used. Identifying a particular device is done via physical examination in a secure network, or via some unique hardware identifier. I might be missing something from the whole TPM infrastructure, tho. Alan DeKok.
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
