Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Dan Harkins wrote: >   RCM means that MAC addresses can't be relied upon anymore; good. The > solution is not EAP-TLS in the home though, it's getting away from the > "single passphrase per SSID" model that Wi-Fi came up with 20+ years > ago and still cannot move beyond. For the r

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Jan-Frederik Rieckers wrote: > Firstly: deleting the EAP-specific configuration (as in: "Dear client, > I don't know you, please stop asking"). This can be as simple as > sending a simple message, but has the problem that faulty > configurations in the beginning can't be debugged

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 31, 2023, at 6:28 AM, josh.howl...@gmail.com wrote: > Playing Devil's Advocate and going a bit OT: this is an excellent goal, so > why stop at EAP-FIDO? > > We could define a similar validation logic for the existing TLS-based methods > to obtain the same benefit. For example: > * The val

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 31, 2023, at 3:12 AM, Jan-Frederik Rieckers wrote: > But actually I don't know if **provisioning** the credentials in-band is such > a good idea. > Because, in order to provision the credentials, the user needs to prove that > they are authorized, and how would they do that? That was o

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> For the current EAP-TLS based methods, the "service" of putting on the > harness and hooking you in is not provided. And that is exactly what I want to > achieve with the TLS part of EAP-FIDO. The users shoulnd't see any of the > certificate check parameters, it should be implicit and that is whe

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 30.10.23 17:39, Behcet Sarikaya wrote:> - The draft talks about Fido but there is no introduction to Fido. Yes, you gave the standards references but I think that is not sufficient. I have a T2TRG draft: https://datatracker.ietf.org/doc/draft-irtf-t2trg-security-setup-iot-devices/

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 30.10.23 12:20, Hannes Tschofenig wrote:> you cannot complain about the use of TLS in EAP when the EAP method you propose relies on TLS. The TLS-based authentication is an essential part of the FIDO solution. Without TLS it is completely insecure. I don't complain about TLS or EAP-TLS itself

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 30.10.23 15:55, Alan DeKok wrote: Today's turnkey EAP provisioning solutions are not *conceptually* dissimilar to this (often using self-signed CAs with EAP-TLS for mutual authn; and LDAP to the Enterprise directory to authz the client cert's SAN). The onboarding would just be transparent fo

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> From: Alan DeKok > On Oct 30, 2023, at 9:53 AM, josh.howl...@gmail.com wrote: > > It would be very interesting if the initial registration could be > > performed in-band of EAP (using WebPKI). > > That would be very useful. It's a balance between making the draft useful > (large, long delay)

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Hi Jan-Fred, I also have some comments of this draft. - The draft talks about Fido but there is no introduction to Fido. Yes, you gave the standards references but I think that is not sufficient. I have a T2TRG draft: https://datatracker.ietf.org/doc/draft-irtf-t2trg-security-setup-iot-devices/ w

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 30, 2023, at 9:53 AM, josh.howl...@gmail.com wrote: > This is true, but EAP-FIDO is still not a free lunch: > - EAP-FIDO implies the existence of a web-service to perform the initial > registration Yes. > - That web-service needs to share state with the RADIUS server It is admittedly

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> It's almost 2024, and MDM is still difficult. There are a large number of > companies who are happy to charge recurring monthly fees, per user, for > MDM solutions. That's bad for everyone but them. This is true, but EAP-FIDO is still not a free lunch: - EAP-FIDO implies the existence of a w

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 30, 2023, at 7:20 AM, Hannes Tschofenig wrote: > you cannot complain about the use of TLS in EAP when the EAP method you > propose relies on TLS. The TLS-based authentication is an essential part > of the FIDO solution. Without TLS it is completely insecure. I don't think that the propo

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Hi Jan, you cannot complain about the use of TLS in EAP when the EAP method you propose relies on TLS. The TLS-based authentication is an essential part of the FIDO solution. Without TLS it is completely insecure. Regarding the key extractor use you describe below: I don't remember this techni

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 10/25/23 8:31 AM, Michael Richardson wrote: As a goal, we need to migrate to more use of EAP-TLS in home environments. RCM requires it in the end.   The problem with EAP-TLS is certificate enrollment and trust which we still have not solved in a way that would work for Joe and Sally Sixpack

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> If you can do an onboarding SSID, there are many simpler things which can > be done, too. e.g. downloading configuration files from a captive portal. Yes, but not with a managed Chromebook... My point being that bootstrapping EAP configuration provisioning is not just a problem for BYOD. St

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 25, 2023, at 1:52 PM, josh.howl...@gmail.com wrote: > I discovered recently that you can't provision a client cert for EAP-TLS onto > a Chromebook using the Google MDM. Instead, you configure the MDM with > information that enables the Chromebook to obtain one using SCEP from an > Enterpr

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> As a goal, we need to migrate to more use of EAP-TLS in home environments. I discovered recently that you can't provision a client cert for EAP-TLS onto a Chromebook using the Google MDM. Instead, you configure the MDM with information that enables the Chromebook to obtain one using SCEP from

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 25, 2023, at 11:55 AM, Jan-Frederik Rieckers wrote: > For the current use case with FIDO keys, I don't know if we had different > viewpoints, so I'll just clarify my point: Since FIDO tokens are basically > "transferable" between devices (either by pulling the hardware token out and > pl

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 25.10.2023 17:31, Michael Richardson wrote: As a goal, we need to migrate to more use of EAP-TLS in home environments. TEAP! OpenPGP_0x87B66B46D9D27A33.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature _

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 25.10.23 17:31, Michael Richardson wrote: > Since the credential is not necessarily used on the same device that the FIDO > credential was registered (example: YubiKeys that are registered by the admin > and then issued to the user), the information needs to be stored in the

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Jan-Frederik Rieckers wrote: > Administrators don't fully understand the EAP methods, and they usually don't > have time to dig into that. They just want it to work. I agree that we have problems. > With the suggested way to pin the PKI to the one used to provision the > creden

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 24.10.23 19:43, Michael Richardson wrote: Alan DeKok wrote: > Not explicitly, but implicitly. > I think the way out here is to not mandate the use of WebPKI. Instead, > we can just say that the EAP certificate should be issues by the same > (or equivalent CA) to the one

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Alan DeKok wrote: > Not explicitly, but implicitly. > I think the way out here is to not mandate the use of WebPKI. Instead, > we can just say that the EAP certificate should be issues by the same > (or equivalent CA) to the one which was used to provision the initial > FIDO

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 24, 2023, at 11:11 AM, wrote: > That is an interesting idea, but it might be tricky for the supplicant to > validate because provisioning is performed through a browser? All the supplicant has to know is (a) the FIDO credentials, and (b) the CA certs used for FIDO. These are usually

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> From: Alan DeKok > On Oct 24, 2023, at 8:56 AM, josh.howl...@gmail.com wrote: > > To be clear, what I mean is whether there is another IETF protocol that > > *mandates* the use of WebPKI? > > All of them. > > Not explicitly, but implicitly. > > I think the way out here is to not mandate

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 24, 2023, at 8:56 AM, josh.howl...@gmail.com wrote: > To be clear, what I mean is whether there is another IETF protocol that > *mandates* the use of WebPKI? All of them. Not explicitly, but implicitly. I think the way out here is to not mandate the use of WebPKI. Instead, we can

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 24.10.23 14:56, josh.howl...@gmail.com wrote: To be clear, what I mean is whether there is another IETF protocol that *mandates* the use of WebPKI? I don't know of any, I'm interested in the definitive answer too. It definitely has a lot of implications to depend on external parties for

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> > So I see this as two new methods: > > > > 1) tunnelled FIDO - for use in TTLS, PEAP, or other TLS-based EAP methods. > > > > 2) TLS-based method with tunnelled FIDO - it can make new / stronger > > requirements on CA validation, server identity, etc. > > So (2) would be the moral equivalent

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> So I see this as two new methods: > > 1) tunnelled FIDO - for use in TTLS, PEAP, or other TLS-based EAP methods. > > 2) TLS-based method with tunnelled FIDO - it can make new / stronger > requirements on CA validation, server identity, etc. So (2) would be the moral equivalent of (1) inside

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On Oct 24, 2023, at 6:22 AM, Jan-Frederik Rieckers wrote: > I must confess, the text is mainly driven by my bad experience from my days > as part of the eduroam administration team at the university of Bremen, and > my current experience with a change in the root certificate for almost every >

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

> > 2. I am not persuaded by the two arguments given in section 6.3 for not > > reusing existing tunnelled methods. > > I'm open to discuss this with an open mind, the first draft is just the > way that I imagined it, if there are reasons to do it another way, I'm > not set on the current spec. >

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Ahah!  Ok.  I suggest a slight rename: FIDO's got tokens and Fido's got FDO, and the two are quite separate.  EAP-FIDO-TOKEN? Eliot On 24.10.2023 12:24, Jan-Frederik Rieckers wrote: On 24.10.23 09:12, Eliot Lear wrote:> Thanks for the draft.  Question: Is the intent that the FDO authenticati

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 24.10.23 09:12, Eliot Lear wrote:> Thanks for the draft.  Question: Is the intent that the FDO authentication happen each and every time, or just during ownership transfer? The intent is to do a FIDO authentication every time (maybe with the exception of TLS session resumption, Text for t

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

On 24.10.23 10:58, josh.howl...@gmail.com wrote: It is good to see this work progressing. 1. I agree with Hannes' observation that it isn't necessary to premise EAP-FIDO on the claimed weaknesses of other EAP methods. I suggest replacing paragraphs 2-5 with content summarising the proposal. I

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Hi Jan-Fred, It is good to see this work progressing. 1. I agree with Hannes' observation that it isn't necessary to premise EAP-FIDO on the claimed weaknesses of other EAP methods. I suggest replacing paragraphs 2-5 with content summarising the proposal. In particular I am surprised that the

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Hi Jan-Frederik Thanks for the draft.  Question: Is the intent that the FDO authentication happen each and every time, or just during ownership transfer? Thanks, eliot On 24.10.2023 00:38, Jan-Frederik Rieckers wrote: Hi emu folks, as already teased at the last IETF, we finally have a fir

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

Hi Jan, I would like to learn a bit more about the concerns you expressed regarding EAP-TLS. If there are problems, then they should have been fixed with the work on EAP-TLS 1.3. You write: " The specification for EAP-TLS [RFC5216] does not include guidance on how to decide if a certifica

Re: [Emu] New I-D: A new EAP method called EAP-FIDO

It looks good as a first draft. Some first draft comments: I would suggest that the default should be to using the Web PKI for server authentication, unless there's a client configuration which says to use a different CA. This behavior means that configuring EAP-FIDO for a domain is simpl