[Emu] Re: ietf-emu-eap-arpa and ietf-emu-bootstrapped-tls

Mon, 12 Aug 2024 05:26:03 -0700 

On Aug 12, 2024, at 6:48 AM, Owen Friel (ofriel) 
<ofriel=40cisco....@dmarc.ietf.org> wrote:
> I’m updating 
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-bootstrapped-tls-05#section-4
>  to use the latest guidelines in 
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-arpa-01 and am a bit 
> confused about the username to use.
>  
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-arpa-01#section-3.3 
> states:
> 
> “The username field MUST be either empty, or hold a fixed string such as 
> "provisioning"”
>  
> “The username field MUST NOT omitted. That is, "@eap.arpa" is not a valid 
> identifier for the purposes of this specification.”
>  
> The above two statements appear to contradict each other.

  Yes, the wording needs to be fixed.

> And 
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-arpa-01#section-5.3 
> states:
>  
> “It is RECOMMENDED that EAP-NOOB peers use "@noob.eap.arpa" first, and if 
> that does not succeed, use n...@eap-noob.arpa” 
>  
> even though RFC 9140 defines “n...@eap-noob.arpa” i.e. it RFC 9140 defines a 
> username, but emu-eap-arpa recommends peer not use one at first.

  We need backwards compatibility for EAP-NOOB, we don't need it for new EAP 
methods.


> So.. for ietf-emu-bootstrapped-tls, which format should the identifier use:
>  
>       • No username: @tls-pok-dpp.eap.arpa
>       • Username: tls-pok-dpp@ tls-pok-dpp.eap.arpa
>       • Anonymous username: anonymous@ tls-pok-dpp.eap.arpa
>  
> 3 seems forbidden. But I’m not clear from ietf-emu-eap-arpa which of 1 or 2 
> to use.

  I think (3) is wrong, as it doesn't tell you anything useful.

  I think (2) is duplication, and not necessary.

  (1) should be OK.

  If you plan on having *multiple* kinds of provisioning with TLS-POK-DPP, then 
a username portion would tell you which subset of TLS-POK-DPP is being used.  
But it should be OK to leave the username portion blank for now. 

  I'll update the eap.arpa document to note that the username portion defines 
the _type_ of provisioning being done.  Different usernames are different kinds 
of provisioning.  And empty usernames are different from non-empty usernames.

  Alan DeKok.

_______________________________________________
Emu mailing list -- emu@ietf.org
To unsubscribe send an email to emu-le...@ietf.org

Reply via email to