Skip to main content

Minutes IETF113: emu
minutes-113-emu-00

The information below is for an old version of the document.
Meeting Minutes EAP Method Update (emu) WG Snapshot
Date and time 2022-03-22 12:00
Title Minutes IETF113: emu
State Active
Other versions markdown
Last updated 2022-03-23

minutes-113-emu-00

Administriva

  • Notes: Jan-Frederik Rieckers

WG-Documents

AKA-PFS

Presenting: Jari Arkko (JA)

  • Hanging around right now, waiting for opportunity to put it in use
  • -06 submitted, reference update, PFS/"forward secrecy" terminology
  • One open issue with disucussion on ML about encoding of the public value, see ML archive. More input from WG/others needed

John Mattsson: Fine with 33 bytes, many people already use it, no objection.
(Clarification question from JA: Wording in current draft ok? John will check.)
Dan: Only use for additional byte is the sign, extra byte not needed/helpful. Only X-coordinate are transmitted, so sign does not matter anyway
John: Can live with both,
Mohit: 3gpp already uses 33 bytes,

Finalize the specification, then start WGLC.

Nicholas Gajcowski: Library use may be an issue, libraries may expect different sizes.
JA: Spec will be clear, no ambiguity then, interface to library should be clear.
Jonathan Hammell: For 32-byte representation you may need to calculate the Y for library use.
D: Have to do the calculation anyway.

TLS EAP Types

Presenting: Alan Dekok

  • for multiple implementation it is 'aledgedly' good to go
  • Open issue: Disallow only client certificates without inner authentication method.
    • Already in the last version of the draft, not much discussion on this
  • Second issue: TTLS+PAP
    • Only "half" roundtrip, no protected success/failure indicator.
    • Problem with sending a session ticket, unexpected message, could lead to reject
  • Most implementations are ok, pending the issues good to publish

Mohit:
Tim: MAC OS lets you configure it, not sure if it works
Alan: Using only certificate is configurable in my software, but we have already a method for using only a client certificate. Forbidding this would prevent people from using this and having problem.

Alan will update the draft, then this should be good to go.

Other drafts

EAP usability

  • not a lot to discuss, only minor updates
  • Not just a way to configure EAP, tradeoff in cost
  • EAP is becomming a container for several messages, e.g. provisioning, ...

    • Probably good to use for administrators, but gets more complicated to implement
  • Question: is this ready for WG adoption

Elliot: Looked into this a while ago. Want to address one point: In IoT we don't have user interface, so we need a way to provision a certificate, relying on standard internet protocols. Can you elaborate how to do that?
Alan:
Phone/Laptop has probably two different network interfaces, could rely on DNS/HTTP/... to provision the EAP configuration. Draft provides a method to easily set up EAP networks. Problem is that the error messages are usually not verbose
Bernard: EAP not suitale for transfering much data, better to do it via other methods
Alan: Configuration may include Certificates/Chains, up to 64k data seen, not suitable for EAP
Bernard: Will improve likelihood that configuration will succeed if using second network connection,
Eliot: Two directions to take. Direction 1: Scope the document to cover only certain use cases. Direction 2: update the document to include more use cases, EAP has high complexity
Not saying "not do this draft", but think about if we want to tackle the problems together or apart from each other
May open other attack vectors, need to think about that.
Tim: Super frustrating to connect, even to the ietf network. Scoping it to user devices would be good, maybe make different EAP

Joe: Not go for adoption call, maybe take it to the list to have more discussion about it.

DPP

Presenting: Dan Harkings

  • WiFi-DPP uses a raw bootstrapping key to establish trust
  • Idea: Use this key in EAP, make use of TLS raw public keys
  • Use this inside TEAP, make the TLS exchange, use PKCS#10 exchange to provision client certificate
  • Question rough consensus for adoption?

Mohit:
Russ: It is still experimental

Bernard: Mention of identity response in a way that never has been standardized. Never documented this, might be a good idea to document it.
Elliot: good idea to move this forward. We should consider revving TEAP, but we need this first.

Dan: CSR Attrs TLS does not exist yet, move forward with TEAP update

Joe: Maybe some things to resolve with tls, clarify if this is blocking. If not, go ahead with adoption call.
Mohit: For adopting this. TLS issues should not be blocking. Would be good to have more TLS eyeballs on it,
Dan: Inserting the DPP-Key into the tls key schedule problem, tls wg suggested

EAP-IBS

Presenting: Meiling Chen

  • Use cases: IoT-Devices and devices without CA certificate support
  • Implementation exists
  • Uses Extensions
  • Request for this to become a WG item

Mohit: This would be a separate EAP-Method, not EAP-TLS

Show of hands: Have you read the draft? 8yes/21no

Joe: Call on the list.

EAP-NOOB-Observations/EAP-UTE

Presenting: Jan-Frederik Rieckers

This draft examines certain properties of NOOB and attempts to offer an evolution
on the protocol that does things like uses CBOR instead of JSON and properly has a
version # ;-) There was no time for questinos. This is part of graduate work, and
Jan-Frederik was looking for some feedback.

EAP-Creds

Presenting: Yuan Tian
* Problem: Different type of credentials that need to be provisioned
* EAP already used for different access methods/
* EAP-CREDS will rely on the security of the communication channel
* Three phases:
* Initialization
* Provisioning
* Validation
* Looking into collaboration/contributions. Current plan to continue work on this and then request to adopt as WG item.