Thanks for the pointer to the appendix.
If I understand the write-up correctly, then you are defining a new
version of PANA. The main difference is that PANA uses UDP to carry EAP
and this document uses CoAP over UDP to carry EAP.
Do I understand the use cases correctly?
Ciao
Hannes
Am 16.
Hi Jan,
you cannot complain about the use of TLS in EAP when the EAP method you
propose relies on TLS. The TLS-based authentication is an essential part
of the FIDO solution. Without TLS it is completely insecure.
Regarding the key extractor use you describe below: I don't remember
this techni
On Oct 30, 2023, at 7:20 AM, Hannes Tschofenig
wrote:
> you cannot complain about the use of TLS in EAP when the EAP method you
> propose relies on TLS. The TLS-based authentication is an essential part
> of the FIDO solution. Without TLS it is completely insecure.
I don't think that the propo
> It's almost 2024, and MDM is still difficult. There are a large number
of
> companies who are happy to charge recurring monthly fees, per user, for
> MDM solutions. That's bad for everyone but them.
This is true, but EAP-FIDO is still not a free lunch:
- EAP-FIDO implies the existence of a w
On Oct 30, 2023, at 9:53 AM, josh.howl...@gmail.com wrote:
> This is true, but EAP-FIDO is still not a free lunch:
> - EAP-FIDO implies the existence of a web-service to perform the initial
> registration
Yes.
> - That web-service needs to share state with the RADIUS server
It is admittedly
Hi Jan-Fred,
I also have some comments of this draft.
- The draft talks about Fido but there is no introduction to Fido. Yes, you
gave the standards references but I think that is not sufficient.
I have a T2TRG draft:
https://datatracker.ietf.org/doc/draft-irtf-t2trg-security-setup-iot-devices/
w
> From: Alan DeKok
> On Oct 30, 2023, at 9:53 AM, josh.howl...@gmail.com wrote:
> > It would be very interesting if the initial registration could be
> > performed in-band of EAP (using WebPKI).
>
> That would be very useful. It's a balance between making the draft
useful
> (large, long delay)
Dear Hannes:
PANA is an EAP lower-layer. As our I-D mentions, we are defining an EAP
lower-layer based on CoAP, which fits better for constrained devices and
networks. Moreover, the idea is to re-use a CoAP implementation in the
constrained device to design this EAP lower-layer. On the other h
