On Jun 30, 2021, at 9:52 AM, Eliot Lear <[email protected]> wrote: > I think we have to be a bit careful about using the term "TPM". What we care > about are trust anchors, credentials, and operations on those. Those objects > might be stored in TPMs, but it seems to me that the protocol does not need > to be aware of that.
Yes. > If we can be crisper on both the operations and the objects, I think we'll do > better. Some of that is on us with a TEAP update, but I think there's also a > discussion to be had about that. > > It's the T part of TEAP that is emphasized in the current work. The > operations and objects beyond that are underdeveloped. That has to be a lot > cleaner as we move forward. My concern is that we need a way for an administrator to identify a particular device. Either say "this particular phone", or "only this device has the given credentials." Both use-cases are similar, but not the same. Once credentials are provisioned, then protocols like EAP can work without knowing where the credentials come from, or where they are stored. But there's still a bootstrapping problem which remains unsolved. TEAP is one solution, but I don't think everyone is going to move to TEAP overnight. It would be nice to have solutions for existing (and deployed) EAP methods. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
