Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Alan DeKok <aland@deployingradius.com> Mon, 28 June 2021 22:37 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ACBF3A1944 for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 15:37:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gtt0sw659E0k for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 15:37:17 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCFE13A1949 for <emu@ietf.org>; Mon, 28 Jun 2021 15:37:17 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 859711DA; Mon, 28 Jun 2021 22:37:14 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <SJ0PR00MB10387F0949D45A69AFAD30B995039@SJ0PR00MB1038.namprd00.prod.outlook.com>
Date: Mon, 28 Jun 2021 18:37:12 -0400
Cc: "oleg.pekar.2017@gmail.com" <oleg.pekar.2017@gmail.com>, "emu@ietf.org" <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C91F8A8F-D283-425A-B2B2-C8B679B31FDB@deployingradius.com>
References: <DB6D339A-710C-4EC4-9F8E-4B8602632AE1@deployingradius.com> <CABXxEz8EBUz_y1FmQTE9C8cpF+3vqy-mPCx8CnyUMZ72pNifAA@mail.gmail.com> <SJ0PR00MB1038767373E0DE9E3D7BE0DA95039@SJ0PR00MB1038.namprd00.prod.outlook.com> <C7DBE2EB-82BF-4229-B0AF-4BA48B2D45BC@deployingradius.com> <SJ0PR00MB10387F0949D45A69AFAD30B995039@SJ0PR00MB1038.namprd00.prod.outlook.com>
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/-z6n0L-eekWzOiyOUJfsdMpXjuc>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 22:37:20 -0000

On Jun 28, 2021, at 4:05 PM, Tim Cappalli <Tim.Cappalli@microsoft.com> wrote:
> Modern authorization is done using certificate properties as a lookup value. Correlation of an individual piece of hardware to a certificate property needs to be done during provisioning (which is the case in many deployments today).

  And in the deployments where people don't do such provisioning?  I would very much prefer to have a solution there.

  The solution right now is "intrusive MDM software".  Not everyone can do (or afford) that.  And MDM configuration is becoming more and more complex.  Vendors randomly change APIs, UIs, and workflows.  It's all a horrible bodge which is productive for no one.

  Alan DeKok.