Hi Jan, I would like to learn a bit more about the concerns you expressed regarding EAP-TLS. If there are problems, then they should have been fixed with the work on EAP-TLS 1.3.
You write: " The specification for EAP-TLS [RFC5216] does not include guidance on how to decide if a certificate is valid for this specific authentication. " What does it mean when you say "... valid for this specific authentication"? Which certificate? Client or Server certificate? " supplicant has no implicit information to determine the expected subject name in the server's certificate " https://datatracker.ietf.org/doc/html/rfc5216#section-5.2 has something to say about this topic and RFC 9190 didn't change it. This does not fit your needs, as it seems. Why? Note that you can define a new EAP method without having to dismiss other EAP methods. Standardizing EAP-FIDO is just fine. Hence, I would re-write the intro to say something about FIDO authentication. Ciao Hannes -----Original Message----- From: Emu <emu-boun...@ietf.org> On Behalf Of Jan-Frederik Rieckers Sent: Dienstag, 24. Oktober 2023 00:38 To: emu@ietf.org Subject: [Emu] New I-D: A new EAP method called EAP-FIDO Hi emu folks, as already teased at the last IETF, we finally have a first I-D ready for EAP-FIDO.[1] The basic idea: Password-based network authentication is not really state-of-the-art any more and, due to failure to verify the server certificate, sometimes even completely broken. Almost every device nowadays has a TPM chip or something similar, that is able to speak FIDO, either with the help of the OS or generically. So, why not use FIDO to log in to networks? There is a proof-of-concept implementation (not compatible with the spec in the draft yet, just to show that "It works™") that was used to perform an eduroam login at a conference with an EAP-FIDO key. We will hold a side-meeting on Monday evening, 18:00 in Room Karlin 4, to discuss some of the open design questions and to gather feedback on what else may be needed in the specification. We have also requested a time slot at the emu session on Tuesday, to shortly present the work. Any feedback is welcome. Cheers Janfred [1]: https://datatracker.ietf.org/doc/draft-janfred-eap-fido/ -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieck...@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin www.dfn.de Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 1366/23822 _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
