[Emu] Re: New Individual Draft: draft-gupta-emu-eap-wsim-00 (EAP-WSIM)
Praveen Gupta <pgupta@mobilestack.com> Wed, 17 June 2026 20:07 UTC
Return-Path: <pgupta@mobilestack.com>
X-Original-To: emu@mail2.ietf.org
Delivered-To: emu@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F2240102F0FB1 for <emu@mail2.ietf.org>; Wed, 17 Jun 2026 13:07:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781726867; bh=NVSAcjHXRWs0FYG4oZpES3Oz5WI0qFVe+DVf4uPoFhg=; h=From:To:Subject:Date:References:In-Reply-To; b=Ofke1Fg8bzWZKlmcWKOytxqlXwUIsKxfeLvBQNGuxDE0zs6SMSoWuhwDo4AlQXZNT vqCc+ER4yMEKpS8dlYDR1cgI209xFD5VW4KQQxwJfYUAFWpSZIULD6CDpR0RmThKq6 ey+YQWR28VEsjDaQQukeVlJEWSiuca/z/06U5nto=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=mobilestack.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYKpim3K67I4 for <emu@mail2.ietf.org>; Wed, 17 Jun 2026 13:07:47 -0700 (PDT)
Received: from BYAPR05CU005.outbound.protection.outlook.com (mail-westusazon11020104.outbound.protection.outlook.com [52.101.85.104]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 04C4A102F0E24 for <emu@ietf.org>; Wed, 17 Jun 2026 13:07:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=crOesh4qyNU/i/T4NZ7LFhTr7tGy/QIsKu45ALCBo6NmGDm2vB66IITZN8eOh+C27jWKANzkUi3Aet32Hm740LqkPb+aqpkPnIzuC8ri12ylGHMag8hHvC7SSRAFOHMBTcdkLtGlZhTPEIX1bIBgVcDSyHfFyXtQjagNfHwWacDuH9BskUVOUF/lnjv0vXdQ3WL2XoQOjlBuPtC6RJvLGiBa7d82OHCCX/E8hlSpIJtLOGh7sQSVzwyUcKa3yCS+1f2xPqz64xxdzivjJzEDb9fj9YMESL0N6KmKZFkWAGMx1qogeFEfCzrIV88RunYJus3oOATx9GfXe8oli6cj6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NVSAcjHXRWs0FYG4oZpES3Oz5WI0qFVe+DVf4uPoFhg=; b=hUHwOIEPWLrfMVuOY4OcK/LRAUZbrbQ5JaLco9aJkzGhVxDBy9YfBRDAchKIZTEMfgxzv/Pv9OrqfOTkDP70iPtTgyg4TsolW+f/Gb6XyBMShNHUl+OC889ha4wG0SEfRclPxDU7hyOBb3AEK3WpWcMbI4uKNtfXEC+iAsiMkeZU2D9DZ5vSBQikvgw0zpqqI0xgYC1BSt++Y3i/vTR8Ja4kc4xReQJg91OPU7jDx87FWYT3ZSNZ/U2usmTEMiGXzlVa8S3to/vx8PhE0YmxrxRgGNDcoymI//68Vo1m5UELNdwCmIJU6vvcDBZjBtp3nA0oQwW+lH7S80SrLRHIvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mobilestack.com; dmarc=pass action=none header.from=mobilestack.com; dkim=pass header.d=mobilestack.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mobilestack.onmicrosoft.com; s=selector1-mobilestack-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NVSAcjHXRWs0FYG4oZpES3Oz5WI0qFVe+DVf4uPoFhg=; b=Y+zY4H1sU2hidtXqTQuMwq0TBw9TZV061KOcS968lskKDtTg+UOSygAxEkEm8CYLizqiyKYn1PKjY6CMyEL5YGp+MZigcs9BA96b9eBEbIuyPQMLTaq3JLgjzouRBlxUIES91qodWs1A6q1LCiglG3CjMtI/Ef7hFoMRgY0MK/U=
Received: from DS4PR06MB11256.namprd06.prod.outlook.com (2603:10b6:8:322::20) by CO6PR06MB7604.namprd06.prod.outlook.com (2603:10b6:303:a7::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 20:06:52 +0000
Received: from DS4PR06MB11256.namprd06.prod.outlook.com ([fe80::f640:2ef3:4341:467d]) by DS4PR06MB11256.namprd06.prod.outlook.com ([fe80::f640:2ef3:4341:467d%3]) with mapi id 15.21.0139.009; Wed, 17 Jun 2026 20:06:52 +0000
From: Praveen Gupta <pgupta@mobilestack.com>
To: Michael Richardson <mcr@sandelman.ca>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Re: New Individual Draft: draft-gupta-emu-eap-wsim-00 (EAP-WSIM)
Thread-Index: AQHc/oF8Y2xzbW+d+E2p3uRD0j8HqrZDHxuQ
Date: Wed, 17 Jun 2026 20:06:52 +0000
Message-ID: <DS4PR06MB11256D494D207EF3FDD7B223FDCE42@DS4PR06MB11256.namprd06.prod.outlook.com>
References: <DS4PR06MB112561C00DFEE484861D6A698DC162@DS4PR06MB11256.namprd06.prod.outlook.com> <DS4PR06MB11256DBD7B0FDAC82A830F4D9DCE62@DS4PR06MB11256.namprd06.prod.outlook.com> <956853.1781718494@dyas>
In-Reply-To: <956853.1781718494@dyas>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mobilestack.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS4PR06MB11256:EE_|CO6PR06MB7604:EE_
x-ms-office365-filtering-correlation-id: d83e1985-2b17-4580-593c-08deccabf950
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|23010399003|10070799003|1800799024|376014|366016|56012099006|5023799004|6133799003|18002099003|22082099003|3023799007|4143699003|38070700021;
x-microsoft-antispam-message-info: micqsLtPxyTkbXB1Efj/ipKnP1TAn9gUrZRTUi99BoErO/b020J9k1kbYTyMnZqyax3lYvBs6G60taIGA4/1SB9I6cUgCfHftW4arCWVXfdoYY4IrElE0WmDuTxZVkBvh8WtbFx7qWdCN3IsBbbq7kEMkY5FwOYbydJI4NGNMujllPojG7Gbs3OZJqVqxxDjMCUScCDfs1wdvqY6ftNebsQBz98jFzODE0zTXVo8Q+WSSvDmNZC1cbYd2v2U0rHV5zxv4bJ6UuCyuXTI+6MVH/65rFZ6bwMP2NVz+tyDGRS53x08vjrJsHaUDQSJMuiEpZhFfsrOjEA3qtLIUo6bjOJw9wOQoAiLNWo3uFvXhOyYARAmFDsLQGZRp1jIzbnbLOSiclDHUhrDerKnqmI+hL1oGx/CFlRWRuFrTA0N9gcNzD72HpRrIs+pw3+UM7MY20QIrNKDyvH4L227RBfIRVabvVwHZdeMrE2hZl+vgLt4T16Ost2TAfCJy7/M2ZfB9xnMtKsBe/W5Wkntitc2U4F3xX71rfF/oM0BPRL7FMfZ5tX0kigpCMstzu0J738itvyc6B90wBOSRSI5ZeXiWSdXthzOXE9GrQkjUFrHIlUj8WaOtuHQ8mLUnUQhgEV0ozlyzVa+d03McTJTqp6R+EowiEGfzJwH251+GAZ3gD5MC4vBfZV4BBQ8Da5HdFY0
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS4PR06MB11256.namprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(23010399003)(10070799003)(1800799024)(376014)(366016)(56012099006)(5023799004)(6133799003)(18002099003)(22082099003)(3023799007)(4143699003)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: 5Z+XN18pJlTJtV7RFotDwmF2OQKLCEnHQx3/4SiKdLKLPlwdrMnKufZrmZ12GsH1KUr2w+0AaZxZa4qoe0+Dq/aQ3GrU/dErmlU4Y/sGoBjBIHy/G7VvoCDSBLaP1ICfRSQ3/g+VbvTPX1Gvd0D8mwkJ3Yk9PNmFmhwuKbyDGqnhcJuOFgL1gl5RPGMTBqUHfIBcQGsUQCBtqVrgYLqV527YcuFqUTGScuv/SZqWew8Lccbcbtp+L5WkRhyAf3prtIio7dra/JyiDktku1S65HVKboWrIrjYGPzLKDFgOdkPtBQSK6FHMrQU0bhJYuwc5mw2sKK4lGBPStEh8obC9nvrCC1Z3Wu0WgAY6SykEbgSE9GN0dVgBYGPiFJP3u7jzuvjOpL02gSJBfvf2HF0RAEdMEFwoByCkmSkGK+1lcnjiDBjwRjBybh5PcQGSZmebfGecHJECg19HutosnM+qexlarN89JqKPMVMmLaUviFXNaOHsegisrNyscm5KhHTUHkXM7tU9Bo+cB5g6X/7UGUdNJI/kUnKD38uV3S/hoUERUIf92l14H4i4sEENsr4a4oN6V88VZm8S/DmzwmKVrwul1N34wQC2lMxt/0TlyCm2PEWncbkO6Ihj0jbJBp2K8MTSY2v9qfwo1ltevvB0IjputscdXHtLCa/Uv8dMqh6QAVvwyGZ+yqUtX0f3OCayTaIq3Z/idXpJB3Bzpa865jz7g3f7CQevPH9NUDUzNgYni5Uyn8LgcQB5TcarAQOjWf5Es+F8SiKo8SlMmJsuFUAJVrrNTEWVLerXHWe/GckZ75qBfAczbpcT4r7fy7WifBMAsQyrxfktrnQgWngy0aRZfT4yQ8h1VP/QXm3tXvbTY7gljVfKwFgeaYSIptraskAtiRtyN+biN1h1crAfqcvh12JZG/tr180evFm0F00hFXZcrWSQYA3Bdw0wNZb8k+4byQlYpsdAoLOf/kasevLPOQNIGqzvrBMTRpYGW4zNPIJ2/TuoHGV1deCxwPWGvRYucLsT2sIv0qbW3p/jVuK7yca1QsON/htTV11arDa6nr5ln2Qhx110Ds8lQe6eWmvRqt+fmbEOD+jGI1kIDrBRtP7kw/NdU/q4EgLJkkvXbBN3CVH6R0ksIyX82NyN6GCVea+x3tOpY8ZUCfkEus66SWIeoQakQ46Lkd2wVT224yVWfcfuUhw13CdwkA4aeqL3LaxAHBZExh1JCbysp53JOdEPl9P1h3s9KN4Svf1Lj/jUs8v5JNNKSBYug8MB2iIl0oAmHJ8/33t+Cq+1xky1CmG04l6Q6admxbN/xYEjHAY/CjwQVAB2v/oosyDJNvBiRIIlZBhGd9tooJ/gkV06lQSwXNwJ5MEORJKdRGvSiXnR4kdiBuVmHQEMsmKM0mu/YR9H8qsvbXfPjgrmuGVEy3XCYZL5nGGu+dl6t7B9rVDLfovNYAeINkg3g8nOBIw4f2lAX/M1N/jZkfWBY9v/LhcRy8GxBYrPI38D0DXdrdQBv8RbQYg4rcwt0NA9RNC22ZXJqUGDybAn+E+0XhWGtS4Kp6GQNNdrX+t2HB9RpcpSLVsNioQeBv9WIrcTI2ChBFLnZpPyz+o7RlAJ5okQdqXQ6YsWjkvFU2iMNFD/SlQJJRSkKoYWLXSLvg/LiU1J/Eo8hvD+Uq0X1mf7QpwQUc8RxjhFcDet+Tk7MpSqhMoPldZBaa4E/fm77nmP7302qhRGgd65XGnxhgMRFGbY02M0iEMJtqBNvarSPUXKKCaqEd9Xp8vj8znouILGfjejjKi
x-ms-exchange-antispam-messagedata-1: w01fkhF4gc+rzQ==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: mobilestack.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS4PR06MB11256.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d83e1985-2b17-4580-593c-08deccabf950
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2026 20:06:52.7338 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1fd1069-ced5-454f-9e48-da062d3bd7e5
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: G1xZc+DTXQRx+YBjBCbZ9v9/zCcMtv6n7yc5Rj4AJTxwgGxWpFyflRA9jOiCptBRuSu3ePd4zurYb07DHpDGiw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR06MB7604
Message-ID-Hash: FSFSI3JNIQBJDBZNYU6JFEE54HWSLFZZ
X-Message-ID-Hash: FSFSI3JNIQBJDBZNYU6JFEE54HWSLFZZ
X-MailFrom: pgupta@mobilestack.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-emu.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Emu] Re: New Individual Draft: draft-gupta-emu-eap-wsim-00 (EAP-WSIM)
List-Id: "EAP Methods Update (EMU)" <emu.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/dhStw3rT5TTaZicU2WGS0mpQLQw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Owner: <mailto:emu-owner@ietf.org>
List-Post: <mailto:emu@ietf.org>
List-Subscribe: <mailto:emu-join@ietf.org>
List-Unsubscribe: <mailto:emu-leave@ietf.org>
Hello, I appreciate your feedback. Thank you for the review. Let me address the core questions. > As I understand the problem, it is that the MNOs do not offer any open way for enterprise systems to authenticate over RADIUS. The problem is more fundamental than API access. MNOs actively protect HLR/HSS/UDM as a security perimeter — no MNO will permit an enterprise to originate MAP/Diameter/SBI queries directly. More importantly: MNO subscribers already offload to enterprise Wi-Fi today, but do so using separate enterprise credentials (captive portals, guest SSIDs) with no relationship to their MNO subscription. The MNO loses all policy visibility, QoS control, and service continuity the moment the device touches enterprise Wi-Fi. When that subscriber moves between APs on a VoWiFi call, re-authentication takes 1,800–2,900 ms — a guaranteed dropped call every time. This is the current production reality in virtually every enterprise deployment. > What MNOs are going to be actively interested in doing this? MNOs are already experiencing this pain — they bear subscriber complaints for VoWiFi call drops on infrastructure they have no control over. But beyond the quality problem, placing the MNO in the active authentication loop for enterprise Wi-Fi offload is not architecturally viable at scale. A single MNO may have subscribers offloading across tens of thousands of enterprise venues simultaneously. Requiring a live HSS/HLR round-trip for every 802.1X authentication event across that estate is operationally and economically unrealistic — the MNO backend was never designed to serve as a real-time RADIUS endpoint for arbitrary third-party venues. This is precisely why an offline, venue-hosted solution is the correct architecture: the MNO provisions once, the MEA authenticates locally indefinitely, and the MNO backend is never in the per-authentication critical path. > If I was trying to solve this, I'd work with an MNO to enable a vetted on-prem RADIUS proxy. This assumes MNOs would be receptive to opening their authentication infrastructure to enterprise venues. In practice, the opposite is true — and for well-understood reasons. An MNO's HLR/HSS/UDM is among the most tightly controlled infrastructure in any operator network. It holds Ki for every subscriber. Permitting an enterprise venue to originate authentication queries against it — even through a vetted proxy — means the MNO must now trust the security posture, availability, and operational integrity of every enterprise it connects to. A single compromised enterprise proxy becomes a vector into the MNO's subscriber identity infrastructure. No MNO security or legal team will accept that exposure. This is not a business negotiation problem; it is a fundamental trust boundary. Beyond the security perimeter: a single MNO has subscribers offloading across tens of thousands of enterprise venues simultaneously. Routing every 802.1X authentication event for every Wi-Fi offload session through a live HLR/HSS round-trip across that entire estate is not operationally viable. The MNO authentication backend was never dimensioned for this traffic pattern. And even if both of those objections were somehow resolved, a RADIUS proxy still cannot solve the problem this draft addresses. Fast intra-enterprise handoff requires PMK-R1 key material to be pre-positioned at the target AP before the roam occurs — that requires a local R0 Key Holder on the enterprise edge. With a proxy, the MSK is produced on the MNO-side server; there is no local entity to derive and distribute PMK-R1 to enterprise APs. Every AP transition for a VoWiFi call would still require a full MNO round-trip, costing 1,800–2,900 ms — a guaranteed dropped call. The fast handoff problem is structurally unsolvable with a proxy architecture, regardless of how the proxy is vetted or provisioned. > Why are there any protocol changes required? Because every existing SIM-based EAP method — EAP-SIM, EAP-AKA, EAP-AKA', EAP-AKA' FS — requires a live query to the subscriber's home HSS/HLR/UDM to obtain RAND/AUTN/XRES. No query, no authentication. EAP-WSIM replaces that live query with a WSIM SIM card acting as a self-contained Authentication Centre on the enterprise edge. That replacement requires a new protocol. > Has MILENAGE-ECDH-FWD been to CFRG? It doesn't sound quantum-safe. CFRG submission is the intended next step pending initial EMU WG feedback, and I would welcome that review. On quantum safety: the framing of the question warrants examination. No currently deployed MNO SIM-based EAP method is quantum-safe. EAP-SIM uses HMAC-MD5/SHA1-based PRFs over a shared symmetric key. EAP-AKA and EAP-AKA' use MILENAGE, whose f1–f9 functions are built on AES-128 — providing approximately 64 bits of security against a quantum adversary via Grover's algorithm, not 128. Critically, none of these methods provide forward secrecy: compromise of the long-term shared key Ki retroactively exposes all past sessions. To be precise about EAP-WSIM's current construction: ECDH P-256 is not quantum-safe. Shor's algorithm running on a sufficiently capable quantum computer breaks elliptic curve discrete logarithm efficiently, meaning the forward secrecy guarantee does not hold in a post-quantum threat model. The MILENAGE component (AES-128) retains approximately 64-bit security under Grover, consistent with EAP-AKA. However, EAP-WSIM is a new protocol. Unlike EAP-AKA and EAP-AKA', which carry the design constraints of 2G/3G-era SIM hardware, EAP-WSIM has no legacy deployment to preserve compatibility with. We therefore intend to update the construction to replace ECDH P-256 with ML-KEM (FIPS 203) as the key encapsulation mechanism, making EAP-WSIM the first SIM-based EAP method to provide both offline mutual authentication and post-quantum forward secrecy. This is the right moment to build this correctly — standardizing a new method with known quantum vulnerability would be a missed opportunity. If the WG has a view on ML-KEM parameter selection or hybrid classical/PQ construction, that input would be welcome as part of this discussion. > How/why do client systems trust this local server? Through pre-association validation (BAD-MEA guard): the MNO application on the UE validates a hardware-backed MEA identity proof against the MNO's own CA before any EAP exchange begins. A rogue authenticator without a valid MNO-issued certificate is refused before any SIM credential is disclosed. Happy to go deeper on any of these. Draft: https://datatracker.ietf.org/doc/draft-gupta-emu-eap-wsim/ Praveen Gupta pgupta@mobilestack.com -----Original Message----- From: Michael Richardson <mcr@sandelman.ca> Sent: Wednesday, June 17, 2026 10:48 AM To: Praveen Gupta <pgupta@mobilestack.com>; emu@ietf.org Subject: Re: [Emu] Re: New Individual Draft: draft-gupta-emu-eap-wsim-00 (EAP-WSIM) I've only browsed your I-D. Praveen Gupta <pgupta@mobilestack.com> wrote: > I would appreciate your interest and feedback on this very important > solution gap for MNO-devices offloading to Enterprise-WIFI. As I understand the problem, it is that the MNOs do not offer any open way for enterprise, (or other EAP-SIM capable systems) to authenticate over radius. I'm not seeing how anything you've proposed solves that problem. > ─── What EAP-WSIM Addresses ────────────────────────────────── > EAP-WSIM proposes a venue-side Wireless SIM (WSIM) hardware > authenticator approved by the MNO, which holds keying material on-card > and runs MILENAGE-ECDH-FWD entirely offline-without contacting the MNO > backend during authentication. Key properties: Sounds like an interesting product/service. I don't know why it a "hardware authenticator" vs a virtual appliance to be run on-prem. What MNOs are going actively interested in doing this? I think it's gonna be a pretty hard-sell to almost every CFO. The people/enterprises who would most benefit from this, are likely least able to use it. > For enterprises: A single WSIM-provisioned authenticator (MEA) supports > any MNO subscriber without per-operator AAA integration. Operator > policy, SSID identity, and charging correlation hooks are preserved. I guess, backend through the MNO to the mobile (formerly "SS7") network. If I was trying to solve the problem as you outlined, then I'd be working with an MNO to enable them to offer some kind of vetted onboarding for an on-prem radius proxy. > I welcome review and discussion on: > 1. Whether the problem statement and gap analysis resonate with the > WG 2. Technical comments on the MILENAGE-ECDH-FWD construction and key > derivation 3. Relationship to ongoing EAP method work in the WG > 4. Interest in co-authoring or adopting as a WG item Why are there any protocol changes required? Which desktop/mobile OS vendors have committed to implementing EAP-WSIM? Why isn't EAP-SIM/AKA/AKA' with a radius proxy into the MNO enough? To me, this looks like MILEANGE-ECDH-FWD looking for a problem that it can solve. } No MNO backend } contact occurs at any point during the authentication exchange. So what really is the point? Does the EAP server have a "WSIM" per subscriber? How are those related to the (E)SIM card in my phone from my carrier? Has MILEAGE-ECDH-FWD been to CFRG? It doesn't sound quantum-safe to me. While EAP-AKA is essentially shared symmetric key, so it is. How/why do client systems trust this local server? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Emu] New Individual Draft: draft-gupta-emu-eap-w… Praveen Gupta
- [Emu] Re: New Individual Draft: draft-gupta-emu-e… Praveen Gupta
- [Emu] Re: New Individual Draft: draft-gupta-emu-e… Michael Richardson
- [Emu] Re: New Individual Draft: draft-gupta-emu-e… Praveen Gupta