[Emu] Re: Roman Danyliw's Discuss on draft-ietf-emu-bootstrapped-tls-08: (with DISCUSS and COMMENT)

[Harkins, Dan]

  Hi Roman,

On 9/2/25, 5:49 PM, "Roman Danyliw via Datatracker" <nore...@ietf.org> wrote:

    Roman Danyliw has entered the following ballot position for
    draft-ietf-emu-bootstrapped-tls-08: Discuss
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to 
https://urldefense.com/v3/__https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!NpxR!mcnH6D49ZcpPYaB5q_fyf8p08grRMgPHVIvijzWsu-XaGF3TvKU40t2b6Onpif4f5Q8yyVCnD-FzIphg$
  
    for more information about how to handle DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-emu-bootstrapped-tls/__;!!NpxR!mcnH6D49ZcpPYaB5q_fyf8p08grRMgPHVIvijzWsu-XaGF3TvKU40t2b6Onpif4f5Q8yyVCnDxeQMW2v$
 
    
    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------
    
    ** Section 1.
       Thus, the intention is that DPP is the
       RECOMMENDED mechanism for bootstrapping against Wi-Fi networks, and
       TLS-POK is the RECOMMENDED mechanism for bootstrapping against wired
       networks.
    
    -- Normative language is being used for [DPP], making it a normative 
reference

We can make DPP normative.

    -- Why is the EMU WG specifying normative requirement “against Wi-Fi 
networks”
    for a standard not specified by the IETF?
    
Because DPP already solves the zero-touch bootstrapping problem for wireless 
networks. Due to the way it does discovery, it is not suitable for wired 
networks that use 802.1X (something also not specified by the IETF but is used 
by EAP methods). 

    -- Since normative behavior is being specified for DPP, what are DPP’s 
security
    considerations?

They are mentioned in section 1.6 of the DPP spec. If we make it normative and 
provide a link would that be satisfactory?
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    ** Section 2.
       In this model,
       physical possession of the device implies legitimate ownership.
    
    What does “legitimate ownership” mean in this context?  Isn’t it just 
“physical
    control of the system”?

Whoever has physical possession of the device (such that its bootstrapping key 
could be gleaned) is assumed to be the legitimate owner.

  regards,

  Dan.
 
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
 
    
    

_______________________________________________
Emu mailing list -- emu@ietf.org
To unsubscribe send an email to emu-le...@ietf.org