On Oct 30, 2023, at 9:53 AM, josh.howl...@gmail.com wrote: > This is true, but EAP-FIDO is still not a free lunch: > - EAP-FIDO implies the existence of a web-service to perform the initial > registration
Yes. > - That web-service needs to share state with the RADIUS server It is admittedly hard for administrators to talk to each other. But I don't think this is an unreasonable request to make. > Today's turnkey EAP provisioning solutions are not *conceptually* dissimilar > to this (often using self-signed CAs with EAP-TLS for mutual authn; and LDAP > to the Enterprise directory to authz the client cert's SAN). The onboarding > would just be transparent for an end-user because of the browser/OS/TPM > integration (so no "installer" to download and execute). > > It would be very interesting if the initial registration could be performed > in-band of EAP (using WebPKI). That would be very useful. It's a balance between making the draft useful (large, long delay), or getting it done quickly, but perhaps missing features. I think the ideal approach is for EAP-FIDO to allow: * authentication via FIDO as discussed * provisioning of FIDO credentials * de-provisioning of credentials. The last one is hard, as how do you de-provision credentials if you've deleted them, and you can't prove who you are? Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu