[{"author": "Steffen Fries", "text": "

Audio is working

", "time": "2022-11-07T13:00:41Z"}, {"author": "Phillip Hallam-Baker", "text": "

I can relay messages from this chat to the room if you find yourself connectionally challenge.

", "time": "2022-11-07T13:01:43Z"}, {"author": "Wolfgang Beck", "text": "

thx

", "time": "2022-11-07T13:02:57Z"}, {"author": "Behcet Sarikaya", "text": "

I think I finally added radextra stream to my Zulip

", "time": "2022-11-07T13:22:23Z"}, {"author": "Stephen Farrell", "text": "

seems to have worked:-)

", "time": "2022-11-07T13:23:18Z"}, {"author": "Margaret Cullen", "text": "

(I work at Painless Security, and we work with Internet2 to run Eduroam US) I have my hand up in the radextra room. Is that the right way to get in line at the mic?

", "time": "2022-11-07T13:26:41Z"}, {"author": "Stephen Farrell", "text": "

yep you're in the queue nicely

", "time": "2022-11-07T13:27:05Z"}, {"author": "Phillip Hallam-Baker", "text": "

yes
\nyou are on the list in front of me

", "time": "2022-11-07T13:27:10Z"}, {"author": "Margaret Cullen", "text": "

thank you!

", "time": "2022-11-07T13:27:20Z"}, {"author": "Behcet Sarikaya", "text": "

jabber room for radextra is extremely silent, why?

", "time": "2022-11-07T13:49:57Z"}, {"author": "Stephen Farrell", "text": "

not sure why but it's fine to chat if people want

", "time": "2022-11-07T13:51:14Z"}, {"author": "Alan DeKok", "text": "

Everyone is fascinated by the presentations. Or depressed by them?

", "time": "2022-11-07T13:53:19Z"}, {"author": "Dan Harkins", "text": "

google is already doing that without snooping radius

", "time": "2022-11-07T13:53:31Z"}, {"author": "Alan DeKok", "text": "

\"track my devices\". No one thought that 1984 would be real. And that the people being monitored would actively pay for it out of their own funds

", "time": "2022-11-07T13:54:32Z"}, {"author": "Dan Harkins", "text": "

this \"older protocol with known security issues is deployed\" and \"new protocol that is better is not\" seems somewhat IKEv1 and IKEv2 to me. But instead of writing a die-die-die draft for RADIUS the desire is to fix it.

", "time": "2022-11-07T13:55:23Z"}, {"author": "Alan DeKok", "text": "

the issue with IPSec is that the application and network security are separated. Using TLS means that the application is aware of it's own security. And that the admin of the application doesn't need to coordinate with a \"network security\" group in order to deploy application security.

", "time": "2022-11-07T13:56:44Z"}, {"author": "Alan DeKok", "text": "

i.e. TLS is solving a business / admin / political problem. Not a technical one

", "time": "2022-11-07T13:57:13Z"}, {"author": "Phillip Hallam-Baker", "text": "

What is the support for TLS-EAP in legacy radius devices?

", "time": "2022-11-07T13:58:07Z"}, {"author": "Alan DeKok", "text": "

legacy RADIUS devices do UDP transport only. They don't use TLS. And that's probably the bulk of the current RADIUS market

", "time": "2022-11-07T13:58:46Z"}, {"author": "Alan DeKok", "text": "

but the devices generally don't talk to the Internet. They talk to a local RADIUS server / proxy, which is fully TLS capable.

", "time": "2022-11-07T13:59:10Z"}, {"author": "Behcet Sarikaya", "text": "

Alan, did you think about moving to Quic?

", "time": "2022-11-07T13:59:44Z"}, {"author": "Alan DeKok", "text": "

It's a lot of work. but if people are willing to do the work....

", "time": "2022-11-07T14:00:20Z"}, {"author": "Alexander Clouter", "text": "

DTLS does not have head of line blocking

", "time": "2022-11-07T14:00:25Z"}, {"author": "Alexander Clouter", "text": "

curious what the superpowers it would provide?

", "time": "2022-11-07T14:00:46Z"}, {"author": "Behcet Sarikaya", "text": "

It seems like Quic can only work with HTTP?

", "time": "2022-11-07T14:00:52Z"}, {"author": "Alan DeKok", "text": "

Quic is largely designed for the needs of HTTP. I haven't looked at it in detail to see how applicable it is for RADIUS

", "time": "2022-11-07T14:01:29Z"}, {"author": "Phillip Hallam-Baker", "text": "

I have a device onboarding protocol that via a QR code interaction performs all the onboarding requiements: Network setup, provisioning of public/private keys etc, etc. I would like to be able to provision public key based WiFi connection credentials as part of the process. Question being what might get support on the WiFi side...

", "time": "2022-11-07T14:01:44Z"}, {"author": "Alexander Clouter", "text": "

QUIC seems better applied to RPC (some people claim) which makes it a good fit for HTTP

", "time": "2022-11-07T14:01:57Z"}, {"author": "Dan Harkins", "text": "

@PHB, how is that different than DPP?

", "time": "2022-11-07T14:03:32Z"}, {"author": "Behcet Sarikaya", "text": "

@Alan DeKok if you get the WG, Quic could be a good extension path

", "time": "2022-11-07T14:04:38Z"}, {"author": "Phillip Hallam-Baker", "text": "

DPP?

", "time": "2022-11-07T14:04:49Z"}, {"author": "Dan Harkins", "text": "

Device Provisioning Protocol

", "time": "2022-11-07T14:05:00Z"}, {"author": "Behcet Sarikaya", "text": "

DPP does not use AAA

", "time": "2022-11-07T14:05:37Z"}, {"author": "Dan Harkins", "text": "

but it does exactly what PHB was saying his protocol does.

", "time": "2022-11-07T14:06:16Z"}, {"author": "Phillip Hallam-Baker", "text": "

What I see in the DPP description suggests that this is an onboarding I have to do for each device to each network.
\nThe Mesh idea is completely different. Alice connects her devices to her Mesh. If Alice connects a WiFi network to her Mesh, that automatically causes all her devices with network access permission to be automatically provisioned.

\n

So if Alice has 20 mobile devices and connects to 50 networks, she goes through 20+50 connection operations, not 20*50 which is what DPP implies.

", "time": "2022-11-07T14:09:07Z"}, {"author": "Phillip Hallam-Baker", "text": "

I have yet to find any IoT device with WiFi support that was not designed by a moron. Nest is unable to realize that I might change my WiFi network, that I might have more than one. some of my NEST Protect devices require scaffolding to access.

", "time": "2022-11-07T14:11:17Z"}, {"author": "Behcet Sarikaya", "text": "

@PHB, Bluetooth Mesh?

", "time": "2022-11-07T14:11:21Z"}, {"author": "Phillip Hallam-Baker", "text": "

No, mathematical Mesh

", "time": "2022-11-07T14:11:34Z"}, {"author": "Phillip Hallam-Baker", "text": "

This is cryptography, application layer, not link layer.

", "time": "2022-11-07T14:11:54Z"}, {"author": "Margaret Cullen", "text": "

In a multi-hop RADIUS proxy infrastructure with different transports allowed/used a different hops, I think that It becomes even more important to define something like Status-Realm, to determine how and why requests are dropped or mis-routed by the infrastructure.

", "time": "2022-11-07T14:12:35Z"}, {"author": "Stephen Farrell", "text": "

@Margaret Cullen did you want that comment relayed to the room in audio?

", "time": "2022-11-07T14:17:03Z"}, {"author": "Margaret Cullen", "text": "

No.

", "time": "2022-11-07T14:17:12Z"}, {"author": "Lionel Morand", "text": "

typo in \"consoortiums\" :)

", "time": "2022-11-07T14:17:56Z"}, {"author": "Mohamed Boucadair", "text": "

The language in draft-ietf-uta-rfc7525bis may be considered here for TLS 1.2/1.3

", "time": "2022-11-07T14:19:36Z"}, {"author": "Phillip Hallam-Baker", "text": "

Mohamed do you want that relayed?

", "time": "2022-11-07T14:28:01Z"}, {"author": "Margaret Cullen", "text": "

If the goal is FIPS compliant, let's just say \"Define a secure variant of RADIUS that is FIPS compliant\".

", "time": "2022-11-07T14:28:08Z"}, {"author": "Mohamed Boucadair", "text": "

@PHB: no, thanks. Roman mentioned that BCP right after I made my comment.

", "time": "2022-11-07T14:29:43Z"}, {"author": "Behcet Sarikaya", "text": "

@Mohamed Boucadair it says implementations pls use TLS 1.3

", "time": "2022-11-07T14:29:56Z"}, {"author": "Valery Smyslov", "text": "

@behet: Not exactly. Quoting rfc7525bis:

", "time": "2022-11-07T14:32:26Z"}, {"author": "Valery Smyslov", "text": "

New application
\n protocols that employ TLS/DTLS for channel or session encryption
\n MUST integrate with both TLS/DTLS versions 1.2 and 1.3;
\n nevertheless, in rare cases where broad interoperability is not a
\n concern, application protocol designers MAY choose to forego TLS
\n 1.2.

", "time": "2022-11-07T14:32:28Z"}, {"author": "Phillip Hallam-Baker", "text": "

Prefix any statements you want relayed with 'MIC'

", "time": "2022-11-07T14:32:50Z"}, {"author": "Valery Smyslov", "text": "

@phb: I'm not sure whether it must be related, since the discussion went far from this point, but I think that following recommendations from rfc7525bis draft (in RFC queue currently) is a good thing when selecting which TLS version to choose.

", "time": "2022-11-07T14:34:35Z"}, {"author": "Margaret Cullen", "text": "

I would be happy to add a new time type to Status-Realm, if we decide we need it.

", "time": "2022-11-07T14:35:39Z"}, {"author": "Margaret Cullen", "text": "

I like \"deprecating insecure transport\"

", "time": "2022-11-07T14:36:28Z"}, {"author": "Grant Knott", "text": "

Maybe we have text about something like \"Consider updating the date-time format to meet requirements determined by the WG\"

", "time": "2022-11-07T14:38:20Z"}, {"author": "Mark Donnelly", "text": "

And no DNS!

", "time": "2022-11-07T14:38:56Z"}, {"author": "Margaret Cullen", "text": "

Add support for multi-hop Status-Server functionality and loop detection in multi-hop proxy networks.

", "time": "2022-11-07T14:40:37Z"}, {"author": "Stephen Farrell", "text": "

thanks

", "time": "2022-11-07T14:40:46Z"}, {"author": "Margaret Cullen", "text": "

Actually change \"networks\" to \"RADIUS fabrics\"

", "time": "2022-11-07T14:41:00Z"}, {"author": "Behcet Sarikaya", "text": "

@Valery Smyslov I think Alan already has it in the slides, so don't worry

", "time": "2022-11-07T14:43:12Z"}, {"author": "Valery Smyslov", "text": "

Ok :-)

", "time": "2022-11-07T14:43:41Z"}, {"author": "Phillip Hallam-Baker", "text": "

Why is this BOF different from all the other BOFs?

", "time": "2022-11-07T14:45:46Z"}, {"author": "Margaret Cullen", "text": "

How do we hum from home?

", "time": "2022-11-07T14:46:03Z"}, {"author": "Phillip Hallam-Baker", "text": "

There is a humm tool

", "time": "2022-11-07T14:46:20Z"}, {"author": "Grant Knott", "text": "

@Margaret Cullen maybe we need a new humming RFC for that

", "time": "2022-11-07T14:46:38Z"}, {"author": "Phillip Hallam-Baker", "text": "

Is the humm appearing Margaret?

", "time": "2022-11-07T14:47:02Z"}, {"author": "Margaret Cullen", "text": "

Yes, thanks. I hadn't seen that before.

", "time": "2022-11-07T14:47:22Z"}, {"author": "Vadim Cargatser", "text": "

:+1:

", "time": "2022-11-07T14:48:26Z"}, {"author": "Alexander Clouter", "text": "

yep, happy to review drafts

", "time": "2022-11-07T14:48:41Z"}, {"author": "Arran Cudbard-Bell", "text": "

:thumbsup:

", "time": "2022-11-07T14:48:47Z"}, {"author": "Margaret Cullen", "text": "

Yes

", "time": "2022-11-07T14:48:48Z"}, {"author": "Wolfgang Beck", "text": "

yes

", "time": "2022-11-07T14:48:51Z"}, {"author": "Dan Harkins", "text": "

:thumbsup:

", "time": "2022-11-07T14:49:10Z"}, {"author": "Margaret Cullen", "text": "

Yes

", "time": "2022-11-07T14:49:17Z"}, {"author": "Margaret Cullen", "text": "

(to edit)

", "time": "2022-11-07T14:49:23Z"}, {"author": "Alexander Clouter", "text": "

yes

", "time": "2022-11-07T14:49:23Z"}]