On Oct 25, 2023, at 11:55 AM, Jan-Frederik Rieckers <rieck...@dfn.de> wrote: > For the current use case with FIDO keys, I don't know if we had different > viewpoints, so I'll just clarify my point: Since FIDO tokens are basically > "transferable" between devices (either by pulling the hardware token out and > plugging it into a different computer or by some Vendor-magic with software > FIDO token to share them between devices of the same person), how do we > ensure that the CA pinning is transferred too? > It is a valid use-case to have a FIDO token for your login and use a > different device every time, i.e. a pool of company laptops with standardized > logins, but for network access you need a YubiKey and then you can do > EAP-FIDO.
This isn't an issue for web logins. So we should find some way to ensure that it is not an issue for EAP. > With EAP-FIDO, the amount of configuration needed is significantly reduced, > so the user acceptance to type in the last few config options should be > there. The bootstrapping will be much easier, especially if the Passkey that > should be used with WiFi is already registered with the institution. Then > it's really just "Hey Phone, I want to use this WiFi with EAP-FIDO, and my > realm is example.com". The FIDO exchange does not involve the transfer of any private information, unlike EAP methods which use passwords. This means it doesn't really matter which CA is used, or which server certificate is presented. i.e. if the user has an NAI of @example.com, then the server should present a certificate for "example.com". i.e. SubjectAltName should contain a hostname in that realm. Since we're not doing DNS, the exact host name doesn't matter. The server certificate should be signed with a CA known to the supplicant. And it doesn't matter which CA. I think that the discussion here shows that pinning a server cert or CA cert will create more problems than it solves. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
