I've only browsed your I-D. Praveen Gupta <[email protected]> wrote: > I would appreciate your interest and feedback on this very important > solution gap for MNO-devices offloading to Enterprise-WIFI.
As I understand the problem, it is that the MNOs do not offer any open way
for enterprise, (or other EAP-SIM capable systems) to authenticate over
radius. I'm not seeing how anything you've proposed solves that problem.
> ─── What EAP-WSIM Addresses ──────────────────────────────────
> EAP-WSIM proposes a venue-side Wireless SIM (WSIM) hardware
> authenticator approved by the MNO, which holds keying material on-card
> and runs MILENAGE-ECDH-FWD entirely offline-without contacting the MNO
> backend during authentication. Key properties:
Sounds like an interesting product/service.
I don't know why it a "hardware authenticator" vs a virtual appliance to be
run on-prem. What MNOs are going actively interested in doing this?
I think it's gonna be a pretty hard-sell to almost every CFO.
The people/enterprises who would most benefit from this, are likely least
able to use it.
> For enterprises: A single WSIM-provisioned authenticator (MEA) supports
> any MNO subscriber without per-operator AAA integration. Operator
> policy, SSID identity, and charging correlation hooks are preserved.
I guess, backend through the MNO to the mobile (formerly "SS7") network.
If I was trying to solve the problem as you outlined, then I'd be working
with an MNO to enable them to offer some kind of vetted onboarding for an
on-prem radius proxy.
> I welcome review and discussion on:
> 1. Whether the problem statement and gap analysis resonate with the
> WG 2. Technical comments on the MILENAGE-ECDH-FWD construction and key
> derivation 3. Relationship to ongoing EAP method work in the WG
> 4. Interest in co-authoring or adopting as a WG item
Why are there any protocol changes required?
Which desktop/mobile OS vendors have committed to implementing EAP-WSIM?
Why isn't EAP-SIM/AKA/AKA' with a radius proxy into the MNO enough?
To me, this looks like MILEANGE-ECDH-FWD looking for a problem that it can
solve.
} No MNO backend
} contact occurs at any point during the authentication exchange.
So what really is the point?
Does the EAP server have a "WSIM" per subscriber? How are those related to
the (E)SIM card in my phone from my carrier?
Has MILEAGE-ECDH-FWD been to CFRG?
It doesn't sound quantum-safe to me.
While EAP-AKA is essentially shared symmetric key, so it is.
How/why do client systems trust this local server?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
