Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
Hi Alan Slight segue.. On 30.06.21 15:38, Alan DeKok wrote: If the answer is "use TPM", then that doesn't meet peoples existing needs. It will also take many years for it to become standardized, much less ubiquitous. As an example, here's an EAP / TPM paper from 2010: https://www.semanticscholar.org/paper/EAP-TPM-%3A-A-New-Authentication-Protocol-for-IEEE-.-Latze/6d755cf4d1ac1da25c8d02a2e5cba56212149d69 I think we have to be a bit careful about using the term "TPM". What we care about are trust anchors, credentials, and operations on those. Those objects might be stored in TPMs, but it seems to me that the protocol does not need to be aware of that. If we can be crisper on both the operations and the objects, I think we'll do better. Some of that is on us with a TEAP update, but I think there's also a discussion to be had about that. It's the T part of TEAP that is emphasized in the current work. The operations and objects beyond that are underdeveloped. That has to be a lot cleaner as we move forward. Eliot OpenPGP_signature Description: OpenPGP digital signature ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
On Jun 29, 2021, at 6:40 PM, Michael Richardson wrote: > I think that today, the answer is probably too bad because too complex. Yes. > But, I think that most phones can do "Enterprise" WPA, and so a certificate > can be loaded in to do EAP-TLS. ... somehow. :( Phone vendors are making this more difficult as time progresses. I've heard from MDM vendors who are largely giving up, as the APIs, limitations, and capabilities keep changing. Which is why I'm trying to find something which is useful, and which doesn't require massive new infrastructure. If the answer is "use TPM", then that doesn't meet peoples existing needs. It will also take many years for it to become standardized, much less ubiquitous. As an example, here's an EAP / TPM paper from 2010: https://www.semanticscholar.org/paper/EAP-TPM-%3A-A-New-Authentication-Protocol-for-IEEE-.-Latze/6d755cf4d1ac1da25c8d02a2e5cba56212149d69 So we've had this capability for a decade. But no one has found time / interest in moving forward with it. This makes me think that TPM is not really the best choice here. Alan DeKok. ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
