Re: [Emu] Network Access Authentication and Attestation
Thanks, Josh. There was some prior work done on this in the IETF and also in other organizations (e.g. TCG). It may have been ahead of its time and many years have passed since. Ciao Hannes Am 13.10.2023 um 11:02 schrieb josh.howl...@gmail.com: The Network Endpoint Assessment (NEA) Working Group worked on this problem: https://datatracker.ietf.org/wg/nea/about/ Josh -Original Message- From: Emu On Behalf Of Hannes Tschofenig Sent: Friday, October 13, 2023 9:16 AM To: emu@ietf.org Subject: [Emu] Network Access Authentication and Attestation Hi all, in the AD review of the SUIT MUD draft, see https://datatracker.ietf.org/doc/draft-ietf-suit-mud/ and https://mailarchive.ietf.org/arch/msg/suit/xRT55NR6fAQuuSYmApXAdC- zO8U/, Roman noted that we are assuming that an EAT-based attestation mechanism is available for network access authentication protocols. While there has been talk about adding attestation to EAP methods, I am not aware of any work specifically in the EMU group. Coincidently, we are working on a solution for adding attestation to TLS, see https://datatracker.ietf.org/doc/draft-fossati-tls-attestation/, where we define an extension that can be added on a need-by-need basis. It could also be incorporated into TLS-based EAP methods. Has someone in the group considered the use of attestation for network access and as part of TLS-based EAP methods in particular? The use case is described in Section 2.1 of RFC 9334, see https://datatracker.ietf.org/doc/html/rfc9334#name-network-endpoint- assessment The main benefit is there described as follows: "Remote attestation is desired to prevent vulnerable or compromised devices from getting access to the network and potentially harming others." We are happy to give a presentation or show our prototype at the hackathon. Ciao Hannes ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
Re: [Emu] Network Access Authentication and Attestation
The Network Endpoint Assessment (NEA) Working Group worked on this problem: https://datatracker.ietf.org/wg/nea/about/ Josh > -Original Message- > From: Emu On Behalf Of Hannes Tschofenig > Sent: Friday, October 13, 2023 9:16 AM > To: emu@ietf.org > Subject: [Emu] Network Access Authentication and Attestation > > Hi all, > > in the AD review of the SUIT MUD draft, see > https://datatracker.ietf.org/doc/draft-ietf-suit-mud/ and > https://mailarchive.ietf.org/arch/msg/suit/xRT55NR6fAQuuSYmApXAdC- > zO8U/, > Roman noted that we are assuming that an EAT-based attestation mechanism > is available for network access authentication protocols. > > While there has been talk about adding attestation to EAP methods, I am not > aware of any work specifically in the EMU group. > > Coincidently, we are working on a solution for adding attestation to TLS, see > https://datatracker.ietf.org/doc/draft-fossati-tls-attestation/, where we > define an extension that can be added on a need-by-need basis. It could also > be incorporated into TLS-based EAP methods. > > Has someone in the group considered the use of attestation for network > access and as part of TLS-based EAP methods in particular? > > The use case is described in Section 2.1 of RFC 9334, see > https://datatracker.ietf.org/doc/html/rfc9334#name-network-endpoint- > assessment > The main benefit is there described as follows: "Remote attestation is desired > to prevent vulnerable or compromised devices from getting access to the > network and potentially harming others." > > We are happy to give a presentation or show our prototype at the hackathon. > > Ciao > Hannes > > ___ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
[Emu] Network Access Authentication and Attestation
Hi all, in the AD review of the SUIT MUD draft, see https://datatracker.ietf.org/doc/draft-ietf-suit-mud/ and https://mailarchive.ietf.org/arch/msg/suit/xRT55NR6fAQuuSYmApXAdC-zO8U/, Roman noted that we are assuming that an EAT-based attestation mechanism is available for network access authentication protocols. While there has been talk about adding attestation to EAP methods, I am not aware of any work specifically in the EMU group. Coincidently, we are working on a solution for adding attestation to TLS, see https://datatracker.ietf.org/doc/draft-fossati-tls-attestation/, where we define an extension that can be added on a need-by-need basis. It could also be incorporated into TLS-based EAP methods. Has someone in the group considered the use of attestation for network access and as part of TLS-based EAP methods in particular? The use case is described in Section 2.1 of RFC 9334, see https://datatracker.ietf.org/doc/html/rfc9334#name-network-endpoint-assessment The main benefit is there described as follows: "Remote attestation is desired to prevent vulnerable or compromised devices from getting access to the network and potentially harming others." We are happy to give a presentation or show our prototype at the hackathon. Ciao Hannes ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
