Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Tim Cappalli <Tim.Cappalli@microsoft.com> Mon, 28 June 2021 20:05 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0A93A0D9B for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 13:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.287
X-Spam-Level:
X-Spam-Status: No, score=-2.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9L0el82PjIuU for <emu@ietfa.amsl.com>; Mon, 28 Jun 2021 13:05:12 -0700 (PDT)
Received: from outbound.mail.eo.outlook.com (mail-oln040093008013.outbound.protection.outlook.com [40.93.8.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71AFB3A0D99 for <emu@ietf.org>; Mon, 28 Jun 2021 13:05:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kRTWbOzS6WzskoYLsBNxuK1EQGLu8eXTZuth/3SioWFPTH4dK/vHOpEGTjO5Uw8hqJOQsK8ibPrEvVMqkU9j2bl664tW25Dp0Z8l1mbQnvdM53lLZQmRDTNdPaOnf6RPukReL4ZUqFzLLoK/8egrkB8Z/0MVtvnVlCRE8xGXmdmi26keyJ0AN7/l2WTiYs1lHD03oukVc7+OEmTmdBBWyn218Dq9Ai41/32mWHkP0AIx7n6J8mjQObtQHOSfnqFrtJ7emOCRNWBhzVQB0olH1b8OdMuDd0Ftv7SZZy7qBwHawpDpBIUZyywaqGNFv+sGm7BdygMvUjVyQQfnZyEazg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EEky9/aeEZFlTCZiH0psA0YisuY9EdvkT6l3T0AB2qM=; b=UHAZjcbV/AXbO6em0dF+XV8t7JrMHILUpB+JWsFUXcl5xTlUBAtvXGVjKhwxjBrhJf0gQi+mQG4z0fBRnopS2dM5Ot8oAkPbC7PpegKAiyWtKqU1FEa9QUhTYftgdNPlBSgFA+dejbTf9TKg3tN62yhKR0s7GzJmUVu0++UIQH9JH85rTHtMaI2or0kMjiqKevlQcoyblA6uRTTgQwTsnuYK9cAn/OtX/06zswfQCrpmAd3HNsgqJeYmWTvcF5HorcBJfLkJbrcGo9eG2JAToCZuORW40qSgN+tW/cQv6xH+crH26RFUq95kwOn+Itt58KEbbN/9+MeWmVTw3zFpHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EEky9/aeEZFlTCZiH0psA0YisuY9EdvkT6l3T0AB2qM=; b=iUDhAJAA++N5sBwYtidnDINQ90DcZB3yndwNhPxqBWq/F92EfA8dQY2Bi91XXQ9nFD/22b0hbQINWPjPP5TwmipHvvyGVkQGqMrGG9H+lmonNIfGg1NY/4oouDMIinPa8vtUECNneX15uHqA5Pe2lZFblaoDGAZRdU51iAvK85E=
Received: from SJ0PR00MB1038.namprd00.prod.outlook.com (2603:10b6:a03:2aa::7) by BYAPR00MB0566.namprd00.prod.outlook.com (2603:10b6:a03:102::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4310.0; Mon, 28 Jun 2021 20:05:09 +0000
Received: from SJ0PR00MB1038.namprd00.prod.outlook.com ([fe80::25eb:c08f:3c51:19ef]) by SJ0PR00MB1038.namprd00.prod.outlook.com ([fe80::25eb:c08f:3c51:19ef%6]) with mapi id 15.20.4322.000; Mon, 28 Jun 2021 20:05:09 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "aland@deployingradius.com" <aland@deployingradius.com>
CC: "oleg.pekar.2017@gmail.com" <oleg.pekar.2017@gmail.com>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Question for draft-ietf-emu-tls-eap-types-03
Thread-Index: AQHXbCCmAlmXzRF/iUeBGw7apIyON6spiYGAgAAx+PGAAByfAIAAAE/L
Date: Mon, 28 Jun 2021 20:05:09 +0000
Message-ID: <SJ0PR00MB10387F0949D45A69AFAD30B995039@SJ0PR00MB1038.namprd00.prod.outlook.com>
References: <DB6D339A-710C-4EC4-9F8E-4B8602632AE1@deployingradius.com> <CABXxEz8EBUz_y1FmQTE9C8cpF+3vqy-mPCx8CnyUMZ72pNifAA@mail.gmail.com> <SJ0PR00MB1038767373E0DE9E3D7BE0DA95039@SJ0PR00MB1038.namprd00.prod.outlook.com>, <C7DBE2EB-82BF-4229-B0AF-4BA48B2D45BC@deployingradius.com>
In-Reply-To: <C7DBE2EB-82BF-4229-B0AF-4BA48B2D45BC@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-06-28T20:01:05.5108978Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: deployingradius.com; dkim=none (message not signed) header.d=none;deployingradius.com; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dc195e5e-b282-4fa6-5aee-08d93a70083b
x-ms-traffictypediagnostic: BYAPR00MB0566:
x-microsoft-antispam-prvs: <BYAPR00MB05667B51FB266B1BCFBEA95295039@BYAPR00MB0566.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lUCxt8A3YhNqlW92Hs80bfMqojnPXkBx0Bva6fp3tpTcF0DBfRqTODMZM4cWCMRK0L2v2s4rwiDhPnSwNDnPn3hN8vtelEmAH7UWQBALgbqeVioTC/AkiZC+okVetSmxIv4BGgMXc5SWQTFzLDYdujEf2by5dlBxXNq8P5jG+AePKnekeZ9yqqR2FjNM0voqPM4/oRFJkl4qR+oNUXRbkJgOX7MZHdMODQuJElkkhb/yy8+2EhqLyGyNkiJlAGtGo0c6mT3GaigYeGCvjcHa6lBRINYM9EHBzPHAxX1s6iLERe6RP5mAGULa2BpqF5RyiC3zO+yhRREsG6JWCDEEYyvvq487a5j8nWCbVCSdF8YGUd1z/noFNLOqzuC6SsgOM9u+t3gxb9ZcYxAY3eII4AMux304SnZ8A9UO5ElOmrmvtZYiQscAWFyM9l2VOr14JisR4Y8Hcp6GKHrnw9JI0h07dClNCX09O0ShGQBTybr50pjTgr4K1NOn0D8tZQDl9w2Gn6HQDR0vmklLTONxmWuKJyjoA1R4TLc7oX412cZ2W4zq2pnZ3Za9CnJSA55guUoXcyNcfGQ6zgiYiHtJrfcHAKVna6h7/fUWSnsyWHwSB628lS7n72pGAxeSLHIJHQC0HTxB3rYTtoVjNLo6kw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1038.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(26005)(122000001)(55016002)(186003)(71200400001)(6916009)(52536014)(83380400001)(9686003)(5660300002)(7696005)(8990500004)(2906002)(82960400001)(10290500003)(76116006)(91956017)(53546011)(66476007)(66556008)(64756008)(38100700002)(8676002)(33656002)(6506007)(66946007)(66446008)(82950400001)(478600001)(4326008)(86362001)(316002)(54906003)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?Jx0iBzytDDywoH9ng+JSyhYQUvqBkOhk0SeRso/4UVh9dmOT5kjJQTbO?= =?Windows-1252?Q?AxfOt/O4iSmSPvtioFWmtOYTuiTtw9emEBKzWZTbAXfpVxKJ2BSJdURJ?= =?Windows-1252?Q?NObFlcnrsmGgHBcyylGxIAKNeS5cKCHYwzJh4HhjjB8e43RHo0xJUhGz?= =?Windows-1252?Q?1xfH9LKtqISclKQdsC1a4aQ/+5u7SoQTH1DyjRoL5PnmfvZfZFT9WkLY?= =?Windows-1252?Q?cKvHfZTRdo3WnaG+WubB2EQuLi6Y1HSORYBcpKi++mWkhXww6mQooElG?= =?Windows-1252?Q?Wd44CkEUpcsZ9nmzOJjQtPodda2xTp4D+MFYqI2OzUz+XRvAwgQlgBQQ?= =?Windows-1252?Q?KOIVDQQAOcDceLa+D9SVmkxu36XuGOhRLOi9KMSWwQgN+zPfQvNRQ66q?= =?Windows-1252?Q?fbZW0nrhD3CLFDraZMOn3ocS6PFEBmgwHFfzra/CJhbqC9J3YI7d4Cf9?= =?Windows-1252?Q?2IoXnv809yxT2sBov2TO67+JEGcDH8n+d1oiNR2FjgYWyOsRYplbPsjl?= =?Windows-1252?Q?uOKsceCbD5kjbS9ZrhGqLJmMOwX2UfINT/c3J59fwI1jspPr6o9Lue0z?= =?Windows-1252?Q?F35heGm75oTUFSWvLVaOgE4Hw7Cpk+z8GaMiu0hGfmBo2ZBJJMXRRXnC?= =?Windows-1252?Q?P/sEc7x7ryISC7OdujjZVVfTe6DSocWAkDoN1VpSp1buwSL0gbI8Nj7j?= =?Windows-1252?Q?NHcJV8u7XCdGFf2LTzveg9Ry2rpnxEZVeGEjXXjY0gIVkhtJQ8K3yjtJ?= =?Windows-1252?Q?lgoeojpBvmuIhXewWd6jGpdWyCyzzvzRVYUype+xnPARQQQdXgpbpwrD?= =?Windows-1252?Q?lJM13Giy8a3zZcStfLY5s8tFvUZuqNvxKHPUsQGSjA1I5wk2YmJX9Gvc?= =?Windows-1252?Q?OTMtp6zsH5kmq0AKdQVJkB1UXexqu7EEGuSNIqTqFatlOnOUWeBt7bEu?= =?Windows-1252?Q?B8YP1CaaHluYGgYK5ZY0C867sduD8InsPaz0ULz5Wu1pyRBUSwx5hiqK?= =?Windows-1252?Q?EX48AP7p91SNU8nyn4bMAQ8jwS1wNUChgF7t/xfnximfLpynyfx7C8ww?= =?Windows-1252?Q?o5z20SbSxXJgNGcCudX0lVWCKQXMXfn8LTb6WUI7ID2BnIrRDEhNG/aL?= =?Windows-1252?Q?2MfiBAi3KQO9vBekORw3uvLBzJpR4cvdNAgosImHAPmCBP22+X+DSo2C?= =?Windows-1252?Q?NwDJXFaJ+lKIK9hv82sMx4CiHu/FK4q3VwNqGCYd15o1wUaXYe0Ym9ZY?= =?Windows-1252?Q?EEl9SfdlW6dI51acRUUXDpclSWAcjO9fO57mVdYnAd05vsoOSmqJCoCo?= =?Windows-1252?Q?oCeECIkMyC476Pq4xr4a7UdX+dLOb6ilmGwxDcJcURtmfWV4xvEKw/0p?= =?Windows-1252?Q?QCZbTZq2RsaAZg=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB10387F0949D45A69AFAD30B995039SJ0PR00MB1038namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1038.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dc195e5e-b282-4fa6-5aee-08d93a70083b
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2021 20:05:09.7944 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HLuwOu+hJkBQMuo6b53Hjerypb/a1waoYpUnzzObhTD+ugs5qJoXUm/f70OKPHK3UkK383blAheuRPG8tlIn8Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0566
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/djrZVG9KlXOzJGZPV6tcI12d740>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 20:05:17 -0000

It has very little value as it can be easily changed on most platforms.

Modern authorization is done using certificate properties as a lookup value. Correlation of an individual piece of hardware to a certificate property needs to be done during provisioning (which is the case in many deployments today).

tim

From: Alan DeKok<mailto:aland@deployingradius.com>
Sent: Monday, June 28, 2021 4:00 PM
To: Tim Cappalli<mailto:Tim.Cappalli@microsoft.com>
Cc: oleg.pekar.2017@gmail.com<mailto:oleg.pekar.2017@gmail.com>; emu@ietf.org<mailto:emu@ietf.org>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

On Jun 28, 2021, at 2:20 PM, Tim Cappalli <Tim.Cappalli@microsoft.com> wrote:
> The industry is moving away from any hardware identifier being sent off device. I don’t think the physical MAC should ever be used as a device identifier, even for channel binding.

  It's globally unique, which is a pretty useful identifier.

> If a strong hardware-bound identifier is required, the organization should use the TPM/SE for private key generation during provisioning/onboarding.

  From my reading of TCG / TPM / etc. stuff, the private key describes a *particular* device.  Not a *known* device.  i.e. the key is tied to a device, so it's a unique token. But it's not an *identifying* token, in that the administrator can tell which device is being provisioned.

  There still needs to be a way for the administrator to know which device is being used.  Identifying a particular device is done via physical examination in a secure network, or via some unique hardware identifier.  I might be missing something from the whole TPM infrastructure, tho.

  Alan DeKok.