On Oct 16, 2024, at 1:13 AM, Yukiko MINAMIE <mina...@stellar.co.jp> wrote: > FIDO2 servers are designed to generate their own FIDO2 challenges, > which means that the current EAP-FIDO specification, using > FIDO2 challenges derived from TLS keying material, > does not allow for the use of existing FIDO2 servers. > > Could you consider alternative methods to using FIDO2 challenges > derived from the TLS keying material to bind the TLS handshake phase > to the FIDO-exchange phase?
Deriving the challenge from the TLS keying materials is because of cryptographic binding issues: https://datatracker.ietf.org/doc/html/rfc5281#section-14.1.11 Which refers to an out-dated link. The updated one is https://asokan.org/asokan/research/tunnel_extab_final.pdf See section 3 of that document for details. The EAP-TTLS RFC discusses the issue that challenges generated by the client are an issue. I'll have to dig in more detail, but perhaps there isn't an issue for server generated challenges? Perhaps one option would be to allow the challenge to be created by the FIDO2 server, but add an exchange specific to the EAP-FIDO protocol, which would do the cryptographic binding. That exchange could stay inside of EAP-FIDO, and wouldn't have to affect any FIDO exchanges. Alan DeKok. _______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
