Minutes IETF120: emu: Tue 20:00
minutes-120-emu-202407232000-01
Meeting Minutes | EAP Method Update (emu) WG | |
---|---|---|
Date and time | 2024-07-23 20:00 | |
Title | Minutes IETF120: emu: Tue 20:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2024-07-30 |
emu @ IETF120
Tuesday, July 23, 2024
Notes: Janfred Rieckers, Alan DeKok
Administrivia and Status - chairs - 10 min
WG was rechartered; new work has been adopted.
Agenda remains unbashed.
WG Items
EAP-ARPA - Alan DeKok - 10 min
Elliot Lear: Is there a reason to have anything in the local part of the
NAI? Couldn't we just say "anonymous" always?
Alan: There is no PII in this, it's just provisioning. It costs nothing
to add and we might need it?
Q: What will go in to the DNS?
Alan: There are some constrains on what can go into .arpa, but this is a
non-routable, non-resolvable domain, so nothing is in the DNS, no one
should ever be looking up this domain.
Q: Someone will look it up anyway. I will re-read the document to see if
there may be a problem.
Alan: The idea is to have a reliable domain that is sustainably
non-usable and non-routable.
Chairs: Would like to issue a WGLC soon, EAP-TLS-POK / bootstrap-tls
depends on this (Alan: not ready for WGLC).
Dan Harkins: We will have to adjust the bootstrap-tls draft to this new
document/the new .arpa domain.
EAP-EDHOC - Dan Garcia Carrillo - 15 min
Changes in length field to try to save bytes in the exchange
Advances in implementation during Paris Hackathon at Inria
Two implementations, one lead by University of Murcia and another by
University of Univov (?)
Next: appreciate reviewers of the document
Questions?
Dan H.: Hackathon results were very promising, as soon as you put it in
wpa_supplicant, it will appear in Android but experience from DPP
shows: it's in there, but not usable for users because a UI doesn't
exist
Alan is volunteering to review.
Also, in the chat, Marco Tiloca and Gabriel Lopez-Millan volunteered to
review.
EAP-FIDO - Janfred - 15 min
Name change for EAP-FIDO.
Trying to leverage FIDO keys for EAP. TLS then FIDO within the tunnel.
Configuration is a problem, so EAP-FIDO has only one configuration
option: domain of user to use.
Review of work in Brisbane, most work went into PoC implementation.
Still some todo's, and need external answers to see what to do.
There is a functioning implementation in hostap / wpa_supplicant
Some issues need addressing - crypto agility, for example.
Meeting with W3C to help address issues. Use "EAP-NetAuthn" as the new
name, ala "WebAuthn". For UIs, maybe use "Use Passkey".
Question: (1) make it so all data needed to connect is in the
discoverable part of the credential. (2) Apple doesn't seem to want to
do silent authentication. Might need to do individual device ID
authentication, so full auth once at least.
Existing WebAuthn doesn't forbid silent authentication, but doesn't
implement it.
Question: can we rely on TLS session tokens? In lieu of silent
authentication, do full auth once, and then resumption. Answer: will
look into it.
Non-WG Items
Blast-RADIUS - Alan DeKok- 10 min
Alan presents the Blast-RADIUS vulnerability.
EAP-PPT - Paresh Sawant - 15 min
Joe Salowey (no Chair-Hat): If the attestation is OOB is it running on a
separate interface?
Answer: Cached tokens can be used, or you could use cellular data to get
the issuer.
Alan: Document seems clear, although there is a little bit of vagueness
on the outer TLS; there could be a bit more text to clarify.
Answer: Big difference for public/private use case.
Alan: It would help to have these issues discussed in the documents,
just to make things clear.
Elliot: What are the next steps?
Chairs: Would have to coordinate with privacypass WG to understand the
implications. Currently EMU is not chartered for this work; we could
recharter and then move forward.
Elliot: We start with a presentation in privacy pass, but my concern is
that then nothing happens. Maybe we need help from Paul Wouters to make
sure things don't drop dead.
Paul W. (SEC AD): If this falls in between WG, please come talk to me,
and we'll sort it out.
Elliot: Seems a bit weird that we have to recharter for every new EAP
method, maybe we could have that easier.
Paul W.: Different ways of doing business; it helps to stay focused on
the current milestones, instead of adopting a new shiny thing every
session and never finishing any.
PQC for EAP-AKA' Draft 1 Draft 2 - Aritra Banerjee - 10 min
Joe: Haven't looked at the draft closely. See some similarity, why don't
you use the same approach in pure-KEM and hybrid-KEM
Answer: For pure PQC-KEM it seemed like unnecessary overhead.