Hi Jan-Fred, I also have some comments of this draft.
- The draft talks about Fido but there is no introduction to Fido. Yes, you gave the standards references but I think that is not sufficient. I have a T2TRG draft: https://datatracker.ietf.org/doc/draft-irtf-t2trg-security-setup-iot-devices/ which has a short description of FIDO which is pretty complicated by itself. - My second concern is the use of AAA for IoT devices. I mentioned this before on some other EMU draft. I believe that AAA will not work with IoT. The way AAA servers function it will not be scalable to the billions of IoT devices expected to be deployed. Behcet On Mon, Oct 30, 2023 at 9:55 AM Alan DeKok <al...@deployingradius.com> wrote: > On Oct 30, 2023, at 9:53 AM, josh.howl...@gmail.com wrote: > > This is true, but EAP-FIDO is still not a free lunch: > > - EAP-FIDO implies the existence of a web-service to perform the initial > > registration > > Yes. > > > - That web-service needs to share state with the RADIUS server > > It is admittedly hard for administrators to talk to each other. But I > don't think this is an unreasonable request to make. > > > Today's turnkey EAP provisioning solutions are not *conceptually* > dissimilar > > to this (often using self-signed CAs with EAP-TLS for mutual authn; and > LDAP > > to the Enterprise directory to authz the client cert's SAN). The > onboarding > > would just be transparent for an end-user because of the browser/OS/TPM > > integration (so no "installer" to download and execute). > > > > It would be very interesting if the initial registration could be > performed > > in-band of EAP (using WebPKI). > > That would be very useful. It's a balance between making the draft > useful (large, long delay), or getting it done quickly, but perhaps missing > features. > > I think the ideal approach is for EAP-FIDO to allow: > > * authentication via FIDO as discussed > > * provisioning of FIDO credentials > > * de-provisioning of credentials. > > The last one is hard, as how do you de-provision credentials if you've > deleted them, and you can't prove who you are? > > Alan DeKok. > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
