Hi Tuomas, We are OK with solving credential provisioning to the peer in EAP level (rather than just in EAP-NOOB). How exactly to do credential provisioning needs further thought. We will be happy to discuss this further.
Philip From: Aura Tuomas [mailto:tuomas.a...@aalto.fi] Sent: 9 March, 2020 19:57 To: philipginzboorg <philip.ginzbo...@huawei.com>; emu@ietf.org Cc: emu-cha...@ietf.org Subject: RE: EAP-NOOB: request for optional message pair to configure EAP Peer Hi Philip, It would definitely be useful to provision various types of long-term credentials after the security bootstrapping and to use them for reauthentication later. One way to achieve this with the current spec is to use the exported AMSK as a shared key for a separate credential provisioning protocol. We have given some thought to provisioning long-term credentials in EAP-NOOB, but it was not clear which and how many different credential types EAP-NOOB should support. We might end up with an unrealistically complicated protocol. Also, it would require fragmentation support e.g. to deliver long certificates or certificate chains. A better solution might be a to export a credential provisioning key from all EAP methods in a standard way and to use that for the provisioning protocol of your choice. I would be happy to discuss how to achieve this and if there is a way that meets your requirements.. *Chairs*: I hope that you can initiate a call for adoption of EAP-NOOB, so that the working group can decide on this kind of feature requests depending on the priorities of the community. From my point of view, the spec is quite ready. Tuomas From: Emu <emu-boun...@ietf.org<mailto:emu-boun...@ietf.org>> On Behalf Of philipginzboorg Sent: Friday, 6 March, 2020 15:27 To: emu@ietf.org<mailto:emu@ietf.org> Subject: [Emu] EAP-NOOB: request for optional message pair to configure EAP Peer Importance: High Hi, I am Philip Ginzboorg from Huawei Finland. Together with my colleague Sandeep Tamrakar we are working on IoT security-related project and had a look at EAP-NOOB. Here is our comment on the EAP-NOOB draft version 7: - In addition to the functionality that EAP-NOOB already provides, we would like to have the possibility for the EAP server to configure the EAP Peer. For instance, the EAP Server could provision long-term credentials to the EAP Peer. - For that purpose, we would like to have one optional message pair in the EAP-NOOB protocol exchanged, just before the Completion Exchange (Section 3..2.4) ends. - The first additional message, from EAP Server to EAP Peer, could be of a separate Command message type (e.g., type=10). It should be send only during the Completion exchange, after the server verifies the correctness of the received MAC (i.e. MACp) from the EAP Peer, and before EAP-Success message. - Upon receiving this message, the EAP Peer will configure itself as instructed by the EAP Server, if MACs is correct. Then, the EAP Peer will respond with configuration success message. - For example, in Fig 6 (https://tools.ietf.org/html/draft-aura-eap-noob-07) after 4th message (Type=4,PeerId,MACp) and before EAP-Success message, there would be a possibility of sending additional message (e.g., Type=10, say, a configuration Command message) to the EAP Peer, and expect back a response. Philip
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
