Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Eliot Lear <lear@lear.ch> Wed, 30 June 2021 13:52 UTC

Return-Path: <lear@lear.ch>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3043E3A1D50 for <emu@ietfa.amsl.com>; Wed, 30 Jun 2021 06:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.228
X-Spam-Level:
X-Spam-Status: No, score=-1.228 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-0.338, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9E5hP3S52uQ for <emu@ietfa.amsl.com>; Wed, 30 Jun 2021 06:52:32 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D80D73A1D4E for <emu@ietf.org>; Wed, 30 Jun 2021 06:52:31 -0700 (PDT)
Received: from Lear-Air.local (31-10-155-187.cgn.dynamic.upc.ch [31.10.155.187]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 15UDqOi6090406 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 30 Jun 2021 15:52:25 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1625061145; bh=BS75tBYoSiwJj73EC3d9jwtmLykFZkSPA/ApnARtW1s=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=TzlrsajPo0wYFlgsjUjI7n4TzeQ0rGF/sU81Q5n064nCqVn9cNu2cZFgus3mygB92 lhASohSCrvzD1KXeIuM54+lEgdtyXbWlGSgI34Su5rIxyZvquOwLtRPh0c95f4BGqe sY2jmRyyERGP4i+tZZL8I+n3umftn/RrNmgEkDaw=
To: Alan DeKok <aland@deployingradius.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: EMU WG <emu@ietf.org>
References: <DB6D339A-710C-4EC4-9F8E-4B8602632AE1@deployingradius.com> <CABXxEz8EBUz_y1FmQTE9C8cpF+3vqy-mPCx8CnyUMZ72pNifAA@mail.gmail.com> <SJ0PR00MB1038767373E0DE9E3D7BE0DA95039@SJ0PR00MB1038.namprd00.prod.outlook.com> <C7DBE2EB-82BF-4229-B0AF-4BA48B2D45BC@deployingradius.com> <7332.1624927848@localhost> <4F79B7DB-7E55-4564-88AE-C6E2AF8FD293@deployingradius.com> <26359.1625006432@localhost> <BFA8E5C4-D368-41BF-AFA9-BAA35B666F8A@deployingradius.com>
From: Eliot Lear <lear@lear.ch>
Message-ID: <a02d4815-dbfa-e0a0-99fb-0f53127f2fd1@lear.ch>
Date: Wed, 30 Jun 2021 15:52:21 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <BFA8E5C4-D368-41BF-AFA9-BAA35B666F8A@deployingradius.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FJwhN9LgtpkQ0dfFKslqYs6eO2m1qiNa8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ibc6t3vOKgNc5At0ON646CE3T3k>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2021 13:52:37 -0000

Hi Alan

Slight segue..

On 30.06.21 15:38, Alan DeKok wrote:
> If the answer is "use TPM", then that doesn't meet peoples existing needs.  It will also take many years for it to become standardized, much less ubiquitous.  As an example, here's an EAP / TPM paper from 2010:
>
> https://www.semanticscholar.org/paper/EAP-TPM-%3A-A-New-Authentication-Protocol-for-IEEE-.-Latze/6d755cf4d1ac1da25c8d02a2e5cba56212149d69


I think we have to be a bit careful about using the term "TPM". What we 
care about are trust anchors, credentials, and operations on those.  
Those objects might be stored in TPMs, but it seems to me that the 
protocol does not need to be aware of that.

If we can be crisper on both the operations and the objects, I think 
we'll do better.  Some of that is on us with a TEAP update, but I think 
there's also a discussion to be had about that.

It's the T part of TEAP that is emphasized in the current work. The 
operations and objects beyond that are underdeveloped.  That has to be a 
lot cleaner as we move forward.

Eliot