I've only browsed your I-D.

Praveen Gupta <[email protected]> wrote:
    > I would appreciate your interest and feedback on this very important
    > solution gap for MNO-devices offloading to Enterprise-WIFI.

As I understand the problem, it is that the MNOs do not offer any open way
for enterprise, (or other EAP-SIM capable systems) to authenticate over
radius.   I'm not seeing how anything you've proposed solves that problem.

    > ─── What EAP-WSIM Addresses ──────────────────────────────────
    > EAP-WSIM proposes a venue-side Wireless SIM (WSIM) hardware
    > authenticator approved by the MNO, which holds keying material on-card
    > and runs MILENAGE-ECDH-FWD entirely offline-without contacting the MNO
    > backend during authentication. Key properties:

Sounds like an interesting product/service.
I don't know why it a "hardware authenticator" vs a virtual appliance to be
run on-prem.   What MNOs are going actively interested in doing this?
I think it's gonna be a pretty hard-sell to almost every CFO.
The people/enterprises who would most benefit from this, are likely least
able to use it.

    > For enterprises: A single WSIM-provisioned authenticator (MEA) supports
    > any MNO subscriber without per-operator AAA integration. Operator
    > policy, SSID identity, and charging correlation hooks are preserved.

I guess, backend through the MNO to the mobile (formerly "SS7") network.
If I was trying to solve the problem as you outlined, then I'd be working
with an MNO to enable them to offer some kind of vetted onboarding for an
on-prem radius proxy.

    > I welcome review and discussion on:

    >   1. Whether the problem statement and gap analysis resonate with the
    > WG 2. Technical comments on the MILENAGE-ECDH-FWD construction and key
    > derivation 3. Relationship to ongoing EAP method work in the WG
    > 4. Interest in co-authoring or adopting as a WG item

Why are there any protocol changes required?
Which desktop/mobile OS vendors have committed to implementing EAP-WSIM?
Why isn't EAP-SIM/AKA/AKA' with a radius proxy into the MNO enough?
To me, this looks like MILEANGE-ECDH-FWD looking for a problem that it can 
solve.

}   No MNO backend
}   contact occurs at any point during the authentication exchange.

So what really is the point?
Does the EAP server have a "WSIM" per subscriber?  How are those related to
the (E)SIM card in my phone from my carrier?

Has MILEAGE-ECDH-FWD been to CFRG?
It doesn't sound quantum-safe to me.
While EAP-AKA is essentially shared symmetric key, so it is.

How/why do client systems trust this local server?

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Emu mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to