On Thu, 6 Mar 2025 at 21:33, Alan DeKok <al...@deployingradius.com> wrote:
> On Mar 6, 2025, at 1:19 PM, Michael Richardson <mcr+i...@sandelman.ca> > wrote: > > >> The simplest way forward that I can think of is the following: > > > >> 1) declare the MSFT behaviour TEAPv0. Crypto-Binding contains only the > >> MSK Compound MAC, the EMSK Compound MAC is always zero > > > > Is version 0 even valid? > > What do these old versions declare as their version? > > Sorry, TEAPv1. > > So TEAPv1 is "MSK Compound MAC only". > To summarise the current TEAP implementation state: - Windows is the only supplicant (TEAP client) that's in production use that we know of. - EAP-TLS can do both EMSK and MSK but TEAP/EAP-TLS on Windows does not use EMSK - EAP-MSCHAP-V2 specification does not defined EMSK - A number of servers can use EMSK but there are differences in how they do it The above is basically the first top level and sub bullets from https://github.com/emu-wg/rfc7170bis/wiki/Interop-Testing#conclusions Conclusion: EMSK is not currently (widely? at all?) used. Based on the above, since EMSK is not widely used, if at all, with TEAP inner methods, I'd be fine with TEAPv1 being an EMSK-less specification. Giving up on using EMSK does sound like giving up something important, but is it so? Can someone tell what's the importance of EMSK being used in TEAP? Does it provide, for example, additional integrity checks which are important enough that they couldn't wait for TEAPv2? As far as I know, none of the other EAP methods (PEAP, TTLS, AKA', etc.) or related specifications define any use for EMSK. MSK is used, for example, creating 802.11i Pairwise Master Key (PMK). Many of the EAP methods define how EMSK is derived, but they don't seem to need it. Does use of EMSK make chained TEAP inner authentication methods significantly safer or EMSK used only because it's available and it was thought to be easy to mix in? Then again MSK-less inner methods, such as PAP, are fine without MSK. If EMSK is not essential, TEAPv2 could then be the version that clearly defines how EMSK is used. We also have a TEAP implementation which has not been distributed yet. It was actively developed and refined when most of the updates in the draft were done. At that time it was working with Win11 and eapol_test and supports EMSK and PAP. For us it's fine to go to any direction with regard to how EMSK is, or is not, used. Thanks, Heikki -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
