Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Alan DeKok <> Tue, 29 June 2021 01:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 048403A1FCE for <>; Mon, 28 Jun 2021 18:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sB6_le39l72f for <>; Mon, 28 Jun 2021 18:57:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67F863A1FCB for <>; Mon, 28 Jun 2021 18:57:03 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id BA4E746B; Tue, 29 Jun 2021 01:56:59 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Alan DeKok <>
In-Reply-To: <7332.1624927848@localhost>
Date: Mon, 28 Jun 2021 21:56:58 -0400
Cc: EMU WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <7332.1624927848@localhost>
To: Michael Richardson <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Jun 2021 01:57:09 -0000

On Jun 28, 2021, at 8:50 PM, Michael Richardson <> wrote:
> To date, Enterprises with laptops and PCs have provisioned the IDevID into
> the TPM, themselves, at the same time the device is wiped and the golden
> image is installed.  So, the TPM identity is actually known to them by construction.

  And... if I have my own phone?  Or if a university wishes to tie devices to student accounts?  So that they can limit (somewhat) abuses?

  For now, the answer is "too bad".  Or maybe "buy a $$$$ MDM solution".

  As someone who bought my own phone, I'm not going install some MDM solution which lets my employer wipe my personal device.  I would much prefer to be able to prove (a) it's my device, and (b) it has a unique device identifier.  The simpler the method, the better.

> Smartphones do not get provisioned that way, but at the factory.
> Ditto IoT devices, and routers that have IDevID.
> RFC8995(BRSKI) can help, and Eliot has a proposal about how to run that over TEAP.
> There are other ways too, and most wind up with an LDevID deployed.

  That's good, but I suspect it will take a while to get implemented and/or popular.

  Alan DeKok.