Re: [Emu] Short review of draft-friel-tls-eap-dpp-01
Alan DeKok <aland@deployingradius.com> Wed, 28 July 2021 19:32 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC90B3A1D07 for <emu@ietfa.amsl.com>; Wed, 28 Jul 2021 12:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p0d7FOTF--ym for <emu@ietfa.amsl.com>; Wed, 28 Jul 2021 12:32:19 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E7573A1D05 for <emu@ietf.org>; Wed, 28 Jul 2021 12:32:19 -0700 (PDT)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id A963F32D; Wed, 28 Jul 2021 19:32:16 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <6efbd9ec-abc5-1926-adfb-acb143f2d8b9@lounge.org>
Date: Wed, 28 Jul 2021 15:32:14 -0400
Cc: emu@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <44E10C5F-4E9A-411B-A809-75023FED7C31@deployingradius.com>
References: <1FE63FE4-4B23-4E0C-AF06-1372D6DA8869@deployingradius.com> <MW3PR11MB47467A3A2E47F9723E2CFEC8DBE99@MW3PR11MB4746.namprd11.prod.outlook.com> <E02A3731-EBB8-40B6-84DB-A99CA473DFAA@deployingradius.com> <6efbd9ec-abc5-1926-adfb-acb143f2d8b9@lounge.org>
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/tOZXXk6kicP__wVwnMXkvW4Bl8o>
Subject: Re: [Emu] Short review of draft-friel-tls-eap-dpp-01
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 19:32:24 -0000
On Jul 28, 2021, at 12:16 PM, Dan Harkins <dharkins@lounge.org> wrote: > I think you're reading a bit too much into "provisioning mode" here. There > was never an intention in TEAP to allow for the PKCS10/PKCS7 exchange to be > done after an anonymous Phase 1. The anonymous Phase 1 was used to get a > tunnel up in order to facilitate an exchange would would make the TEAP connection > be mutually authenticated. The text in 3.8.3 implies that Phase 2 always follows > an unauthenticated Phase 1 and Phase 2 MUST be mutually authenticated. OK. 7170 is a little unclear on that. > So the "this topic" you're alluding to is not really what 3.8.3 was talking > about. Sure. So there's still some need for bootstrapping, then? >> In contrast, the user work flow here is "connect to Eduroam, log in with your username and password". It really can't get simpler than that. > > *That* use case can't get any simpler. The 10,000 students can enter their > username/password on their 10,000 laptops. That's not what DPP or TLS-pok is > dealing with. It's 10,000 sensors with no practical user interface. Eduroam > doesn't work for 10,000 sensors with no practical user interface. I agree. My document is about users, and therefore the use-cases talk about users. But the real goal is provisioning. The "username / password" exchange happens after provisioning. It could (with no loss of generality) use another method, such as client certificates. > I don't think you're trying to solve the same problem we are. Pretty much. I suspect there may be some overlap, and I'd like to see if there's some possible synergy. > Nowhere do we propose to use EAP as a generic transport layer for provisioning. TEAP / FAST are getting close. Alan DeKok.
- [Emu] Short review of draft-friel-tls-eap-dpp-01 Alan DeKok
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Owen Friel (ofriel)
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Alan DeKok
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Alan DeKok
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Dan Harkins
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Dan Harkins
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Alan DeKok
- Re: [Emu] Short review of draft-friel-tls-eap-dpp… Alan DeKok