Hi Josh,
TLS-pok is a one-off. It's not for network access, it's to use a
trusted public key bootstrapped in any of the ways DPP has defined
to authenticate something like TEAP. TLS-pok authenticates the "outer"
TEAP tunnel and inside that tunnel a PKCS#10/PKCS#7 exchange happens
and the device gets provisioned for network access. The bootstrapped
key is never used again. Network access is accomplished using the
credentials provisioned by TEAP.
regards,
Dan.
On 7/25/20 8:50 AM, Josh Howlett wrote:
This may be a stupid question, but I can’t find an explanation in the
draft or figure it out myself... If the intended application for this
TLS extension is network access, might it be simpler to define a new
EAP method that used a similar key exchange? That would avoid touching
implementations of TLS and those EAP methods using the extension.
Josh
*From: *Dan Harkins <mailto:dhark...@lounge.org>
*Sent: *22 July 2020 21:59
*To: *emu <mailto:emu@ietf.org>
*Subject: *[Emu] TLS-pok for EAP
Hello,
Owen and I have a new draft out to introduce a new authentication
mechanism using out-of-band trust establishment (ala the DPP protocol)
into TLS for use with a TLS-based EAP method like TEAP or EAP-TLS.
This would enable zero touch provisioning for wired devices using the
same boostrapping methods that DPP uses for wireless.
I'm on the agenda for Friday to do a brief presentation. Here's a
link to the draft if you're interested:
https://datatracker.ietf.org/doc/draft-friel-tls-eap-dpp/
regards,
Dan.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
