On Jun 29, 2021, at 6:40 PM, Michael Richardson <[email protected]> wrote: > I think that today, the answer is probably too bad because too complex.
Yes. > But, I think that most phones can do "Enterprise" WPA, and so a certificate > can be loaded in to do EAP-TLS. ... somehow. :( Phone vendors are making this more difficult as time progresses. I've heard from MDM vendors who are largely giving up, as the APIs, limitations, and capabilities keep changing. Which is why I'm trying to find something which is useful, and which doesn't require massive new infrastructure. If the answer is "use TPM", then that doesn't meet peoples existing needs. It will also take many years for it to become standardized, much less ubiquitous. As an example, here's an EAP / TPM paper from 2010: https://www.semanticscholar.org/paper/EAP-TPM-%3A-A-New-Authentication-Protocol-for-IEEE-.-Latze/6d755cf4d1ac1da25c8d02a2e5cba56212149d69 So we've had this capability for a decade. But no one has found time / interest in moving forward with it. This makes me think that TPM is not really the best choice here. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
