[Emu] ship and forget use cases for onboarding

2018-10-22 Thread Michael Richardson
aying, let's not invent a problem before we understand who actually has the problem and make sure that the people who can solve the problem are at our table. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] Fwd: New Version Notification for draft-lear-brski-pop-00.txt

2018-10-22 Thread Michael Richardson
ip-to-holding-company. Holding company leases to end user for period of time. End user identity is never communicated back, and might be very much pseudonymous. I'm thinking about car-rentals, hotel rooms (full of devices), ... -- ] Never tell me the odds! | ipv6

Re: [Emu] FW: New Version Notification for draft-ietf-emu-eap-tls13-03.txt

2018-11-14 Thread Michael Richardson
ard-nosed, I would say that's an internal management issue, > and not a standards issue. But I get your point, and there are ways to > address this (see below). It might be a lack of standard way to access logs of EAP server issue. -- Michael Richardson , Sandelman Software Works

Re: [Emu] EAP-AKA' and Re: WG adoption call for draft-arkko-eap-aka-pfs

2019-04-03 Thread Michael Richardson
) allows you to even manually turn off 2G. They both allow you > to turn off 4G for battery savings but not 2G for security reasons. Ask > the company that made your phone ;) Sad to know. Thanks for explaining this. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu

[Emu] EAP-AKA' and Re: WG adoption call for draft-arkko-eap-aka-pfs

2019-03-29 Thread Michael Richardson
itigating this patent is more important than 5G succeeding for roaming. Finally, I want to point to: https://lwn.net/Articles/780078/ -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network arch

Re: [Emu] EAP-AKA' and Re: WG adoption call for draft-arkko-eap-aka-pfs

2019-03-30 Thread Michael Richardson
5G, then anything that gets in the way of adoption is a problem. If it's not important enough to fix the IPR, then it's actually that important. - adopting AKA is very important. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sa

Re: [Emu] EAP and Transport Protocol

2019-04-01 Thread Michael Richardson
t;open1x" on the client side, but > those have been dead for 10 years. >> In particular, the use of the > Early truncation? lack of fragmentation :-) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Softw

Re: [Emu] Notes on session resumption with TLS-based EAP methods

2019-03-10 Thread Michael Richardson
If there is no legit use case for TLS resumption, then it seems that EAP servers SHOULD disable TLS resumption. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Emu mailing

Re: [Emu] Notes on session resumption with TLS-based EAP methods

2019-03-09 Thread Michael Richardson
me uses TTLS. It's not clear that anything in the alan> spec forbids or prevents this. What's in it for the user? Is this an attack? Does it avoid an interaction with a human? Does it enable mobility between different networks? Does this avoid some interaction with a two-factor authenticator? --

Re: [Emu] Re-charter text

2019-08-22 Thread Michael Richardson
shall produce the following documents: These read like milestones rather than areas of focus. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.c

[Emu] BRSKI-TEAP vs regular connection (was Re: EAP questions ...)

2019-11-07 Thread Michael Richardson
On 2019-11-07 12:43 p.m., Alan DeKok wrote: >> E.g. we have documented in >> https://tools.ietf.org/html/draft-lear-eap-teap-brski-05#section-5 that: >> >> " A device that has not been bootstrapped at all SHOULD send an >> identity of teap-bootstrap@TBD1. " >> >> If we register that

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-13 Thread Michael Richardson
On 2019-11-13 7:40 a.m., Alan DeKok wrote: > On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) wrote: >> How does a public CA prove ownership of an SSID? > Do public CAs *always* verify addresses and/or telephone numbers, which are > normally included in certificates? They are?  I've

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-13 Thread Michael Richardson
On 2019-11-13 4:07 a.m., Alan DeKok wrote: > On Nov 12, 2019, at 11:43 AM, Russ Housley wrote: >> Can the extended key usage for EAP over a LAN ( id-kp-eapOverLAN ) solve >> this for you? It is defined in RFC 4334. A certificate for Web PKI should >> not include this extended key usage. >>

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-12 Thread Michael Richardson
On 2019-11-12 3:53 p.m., Jan-Frederik Rieckers wrote: > On 12.11.19 00:15, Owen Friel (ofriel) wrote: >> One deployment consideration is if an operator wants to use a public PKI >> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever, >> before these extensions could be

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-12 Thread Michael Richardson
On 2019-11-12 7:15 a.m., Owen Friel (ofriel) wrote: > This is also related to ongoing anima discussions about RFC 8366, and how it > can bootstrap trust when the pinned domain cert is a public PKI CA, and not a > private CA, and hence additional domain (or realm or FQDN) info is also > needed

Re: [Emu] EAP/EMU recommendations for client cert validation logic

2019-12-17 Thread Michael Richardson
(public) CAs without invalidating the voucher. There might be a (3) that I can't think of right now. But, if these two requirements seem to contradict each other, then high-five to you, you were paying attention :-) -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-14 Thread Michael Richardson
On 2019-11-14 7:59 p.m., Alan DeKok wrote: > On Nov 13, 2019, at 6:23 PM, Michael Richardson wrote: >> I think that the issue isn't, can we find or define a OID that has the >> right semantics. >> I think that the issue whether or not any public CAs are

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

2019-10-11 Thread Michael Richardson
, can wired just be a degenerate version of wifi, where there can be only one "ESSID", and there are no beacons to consider? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

2019-10-11 Thread Michael Richardson
le do not expect to scan anything? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signatu

Re: [Emu] [lamps] Using public CA infrastructure for autonomic bootstrapping over EAP.

2020-02-01 Thread Michael Richardson
y EE issued by the public trust anchor could be a valid authenticator. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/

Re: [Emu] BRSKI-TEAP vs regular connection (was Re: EAP questions ...)

2020-01-15 Thread Michael Richardson
n the action > request frames. To clear, it would be doing TEAP (or EAP-TLS) to connect to the network, because it is already enrolled. If there are BRSKI-specific responses defined in TEAP, then I'm surprised. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =-

[Emu] Using public CA infrastructure for autonomic bootstrapping over EAP.

2020-01-17 Thread Michael Richardson
an expiry/retry time in the certs-only CMC Simple PKI Repsonse. I don't see a date in a RFC5652 Signed-Only certs-only container that could be used to cause pledges to get the /cacerts earlier than the expiry time of the CA. -- ] Never tell me the odds!

[Emu] using public CAs for IDevID and device certificates

2020-01-17 Thread Michael Richardson
Michael Richardson wrote: > 3. End User Client Certificates > A client certificate used to authenticate an end user may be used for > mutual authentication in TLS, ***EAP-TLS***, or messaging. The client > (to be very very very clear: not a consensus document a

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

2020-01-17 Thread Michael Richardson
same root store as Web browsers > is the anti-pattern, because the requirements are different. And yet, almost every single thing out there would like to be connected to by a browser. They can't, so we have an app-per-thing, and/or no-security. -- Michael Richardson , Sandelman Softw

Re: [Emu] BRSKI-TEAP vs regular connection (was Re: EAP questions ...)

2020-01-16 Thread Michael Richardson
Eliot Lear (elear) wrote: >> On 15 Jan 2020, at 16:10, Michael Richardson wrote: >> >> >> Eliot Lear (elear) wrote: >>>> Owen, do we have a need to recognize that a device needs to perform >>>> onboarding again after a m

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

2020-01-17 Thread Michael Richardson
iCert Global CA G2 CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalCAG2.crt What's that quote about doctor's fixing themselves? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Descript

Re: [Emu] [lamps] EAP/EMU recommendations for client cert validation logic

2020-01-08 Thread Michael Richardson
are trusted by default for EAP. How can anyone be using public CAs for EAP, if none are trusted for EAP, and no public CAs issue certificates with id-kp-serverAuth? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: P

Re: [Emu] TEAP Request-Action TLV

2020-04-30 Thread Michael Richardson
to send to me. > Hard code the ordering of requests so everyone knows what to expect. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] I-D Action: draft-ietf-emu-eaptlscert-02.txt

2020-03-16 Thread Michael Richardson
ing the ID as a privacy enhancement. I don't think such a thing would be desireable, and TLS 1.3 provides other equivalent privacy enhancements, but I want to suggest you consider a new certificate container which contains a reference. IKEv2 already has that. -- Michael Richardson , Sandelman Soft

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-26 Thread Michael Richardson
3. I do not think the > requirent should be softened, but if it is, my view is that is should > be softened as little as possible. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signatu

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-26 Thread Michael Richardson
o, running an OCSP server is something > that will be very new for many enterprises. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-26 Thread Michael Richardson
>> system. > Again, what threat are we protecting against? The self-contained CA might have a passphrase, so there is some accomodation updating the signing key for new algorithms, etc. while the trust anchor which is distributed is appropriate pessimistic. -- Michae

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-26 Thread Michael Richardson
alidity periods. But, I agree with Eliot: the OCSP responder is new. It seems that maybe SHOULD would appropriate on OCSP. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@san

Re: [Emu] [Iot-directorate] Iotdir early review of draft-ietf-emu-eap-noob-01

2020-07-08 Thread Michael Richardson
/IP/Ethernet/WiFi stuff. Those devices do not use EAP today, and they are hard to upgrade. (and from a security point of view, those architectures concern me greatly) -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.

Re: [Emu] Secdir early review of draft-ietf-emu-eap-noob-01

2020-06-28 Thread Michael Richardson
ce? This is a good question, and I can offer no answer for the EAP-NOOB case, and I leave it to the authors to respond to your other comments. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT archite

Re: [Emu] [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

2020-12-07 Thread Michael Richardson
Could someone point to a use case for "EAP over CoAP" please? Is the goal to key an OSCORE context, or what? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] m...@sa

Re: [Emu] [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Michael Richardson
ot;could", as if it was an afterthought. Tell me what is your application? What will be impossible if we don't do this work? -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description:

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-30 Thread Michael Richardson
> [Joe] Thanks Michael, I think your suggestion is a better way to phrase it Just so that we are clear: this mandates OCSP+stapling for systems that do revocation checks. Systems that don't do revocation checks (current mbedtls), therefore don't need to do OCSP or stapling. -- Micha

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-30 Thread Michael Richardson
Joseph Salowey wrote: > On Fri, Oct 30, 2020 at 4:44 AM Michael Richardson > wrote: >> >> Joseph Salowey wrote: >> >> I suggest: >> >> >> >> “EAP-TLS servers supporting TLS 1.3 that use OCSP to do certificate

Re: [Emu] Making Security Practical ... was RE: Moving towards less security in 2020 - OCSP

2020-11-02 Thread Michael Richardson
ake the decision. Eliot, 1) it seems that if the CA hasn't put stapling information in, then it won't be needed. 2) if you still want stapling, then it seems to me that there are lifetimes in the staple which can be adjusted to deal with anticipated service interruptions in connectivity

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-22 Thread Michael Richardson
Hannes Tschofenig wrote: > Thanks for the question. I am objecting to the mandatory use of OCSP for TLS 1.3 in EAP-TLS. > I am fine with having it optional. okay, so it's not about the stapling, at all for you, it's about the OCSP itself. -- Michael Richardson. o O ( IP

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-21 Thread Michael Richardson
mu-eaptlscert worse. I am sure the authors are aware of > this fact since they are also co-authors of draft-ietf-emu-eaptlscert. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signatu

Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

2020-10-22 Thread Michael Richardson
etf.org/mailman/listinfo/emu >> > -------- > Alternatives: > > ___ > Emu mailing list > Emu@ietf.org &

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Michael Richardson
't know much about the last part. I suggest it be split as three paragraphs for readability. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature

Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

2021-01-05 Thread Michael Richardson
Alan DeKok wrote: > Therefore, we need an explicit signal to the EAP-TLS layer that the Do you mean, "to the EAP layer"? s/EAP-TLS layer/EAP/ ?? > EAP-TLS method has finished. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software W

Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

2021-01-05 Thread Michael Richardson
"to the EAP-TLS layer that the EAP-TLS method has finished" so I still think that there might be a typo :-) -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature

Re: [Emu] Underspecification of EAP-TLS 1.3 State Machine

2021-02-03 Thread Michael Richardson
ion seems to be basically dancing around this. TLS 1.3 is too flexible, and we can't either constrain the TLS 1.3 state machine, nor can we depend upon it anymore the way that one could with 1.2. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ott

Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

2021-06-29 Thread Michael Richardson
Alan DeKok wrote: > On Jun 28, 2021, at 8:50 PM, Michael Richardson wrote: >> To date, Enterprises with laptops and PCs have provisioned the IDevID into >> the TPM, themselves, at the same time the device is wiped and the golden >> image is installed.

Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

2021-06-28 Thread Michael Richardson
ient certificate is not transmitted in the clear during the handshake. If the supplicant can validate the server certificate, then a Mallory-in-the-Middle (onpath) attack also does not get the identity. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ot

Re: [Emu] Issue 47 Certificate identity checks

2021-04-13 Thread Michael Richardson
he realm name enough to make the imposter cert from the non-authorized CA? I'm just trying to understand how the HTTPS cert is involved here. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.as

Re: [Emu] Consensus call for result indicators in EAP-TLS 1.3

2021-02-06 Thread Michael Richardson
more like that we are going from perhaps 5.5 round trips to 6.5 round trips (for example). I posit this, because I think that the increase in round trip count is largely irrelevant on non-challenged (RFC7228 term) networks. -- Michael Richardson. o O ( IPv6 IøT consulting )