IETF Logo Mail Archive

Re: [Emu] Version Notification for draft-dekok-emu-eap-usability-00.txt

Alan DeKok <aland@deployingradius.com> Thu, 15 July 2021 18:06 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 112033A16CA for <emu@ietfa.amsl.com>; Thu, 15 Jul 2021 11:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXdtPmMyFabn for <emu@ietfa.amsl.com>; Thu, 15 Jul 2021 11:06:10 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8CF33A16A6 for <emu@ietf.org>; Thu, 15 Jul 2021 11:06:09 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id E70F78D; Thu, 15 Jul 2021 18:06:07 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <887c07d9-c62f-0fa4-e422-4e9bcfc39756@angry-red-pla.net>
Date: Thu, 15 Jul 2021 14:06:06 -0400
Cc: emu@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3FDB94D5-CD72-446F-839C-C0130E9FD5E0@deployingradius.com>
References: <162611255836.29278.13767587856449885761@ietfa.amsl.com> <D71E4C2D-53AC-4453-AF26-39D8684CEAF0@deployingradius.com> <887c07d9-c62f-0fa4-e422-4e9bcfc39756@angry-red-pla.net>
To: Carolin Baumgartner <latze@angry-red-pla.net>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/iIlAd5MKQGCkwH0bv282QtEorUA>
Subject: Re: [Emu] Version Notification for draft-dekok-emu-eap-usability-00.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 18:06:15 -0000

On Jul 15, 2021, at 10:24 AM, Carolin Baumgartner <latze@angry-red-pla.net> wrote:
> 
> Section 3.1, first bullet point on automation: I would mention "zero touch". That should be the goal from a user's perspective.

  Sure.

> Section 3.1, fifth (sixth) bullet point on mutual exchange of identities: How is that supposed to work? Don't get me wrong, I understand the rationale. But that requires a user to understand if the identity of the server is correct. I don't think that is a safe assumption. 

  The rest of the document tries to address this.  The idea is that the device uses the web root CAs to download a trusted CA for this domain, when using EAP.  Then, the device can tell the user that the EAP server for this domain is trusted.  Because it has a signed certificate by a known CA.

> Section 3.1, last bullet point: I agree on the technical rationale. However that must be dead simple to verify from a user perspective

  Yes.  It has to be managed automatically.

> General comment: EAP configuration and implementation is certainly one issue, but the whole certificate stuff is terrible from a user's point of view. We could try to solve it in this draft, but it certainly touches a lot of topics.

  The goal of the draft is to leverage the web root, in order to bootstrap trust in EAP.  The only real thing that the user needs to do is to enter:

Name: my.name@example.com
Password: superSecret

  Provided there's some network connection available, everything else can be automatic.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email