[{"author": "Tim Cappalli", "text": "
Passkeys need to be bootstrapped too
", "time": "2024-03-19T05:53:05Z"}, {"author": "G\u00f6ran Selander", "text": "For the minutes, link to Paris Hackathon where EAP-EDHOC is one of the topics:
\nhttps://parishackathon.lakewg.org/
Thanks, G\u00f6ran!
", "time": "2024-03-19T05:54:21Z"}, {"author": "Alan DeKok", "text": "The EAP-FIDO proposal is largely \"FIDO CTAP\" with the transport protocol being EAP instead of HTTP.
", "time": "2024-03-19T05:54:46Z"}, {"author": "Alan DeKok", "text": "with provisioning being done outside of EAP
", "time": "2024-03-19T05:55:03Z"}, {"author": "Alexander Clouter", "text": "@Tim this is the difference between 'Server-Side' and 'Discoverable', no?
", "time": "2024-03-19T05:55:19Z"}, {"author": "Tim Cappalli", "text": "What user is going to understand this?
", "time": "2024-03-19T05:55:28Z"}, {"author": "Tim Cappalli", "text": "You're back to the same problems as configuring a supplicant for EAP-TTLS or PEAPv0
", "time": "2024-03-19T05:55:42Z"}, {"author": "Alexander Clouter", "text": "no, as the user just provides their realm
", "time": "2024-03-19T05:56:15Z"}, {"author": "Tim Cappalli", "text": "RP ID is rarely going to match the user's realm
", "time": "2024-03-19T05:56:34Z"}, {"author": "Alexander Clouter", "text": "we assume the user knows where they work/study
", "time": "2024-03-19T05:56:37Z"}, {"author": "Alan DeKok", "text": "the idea is that if the user has a passkey for \"example.com\", the entire EAP configuration is \"allow example.com for SSID foo\"
", "time": "2024-03-19T05:56:47Z"}, {"author": "Alexander Clouter", "text": "@tim, for this use case it does
", "time": "2024-03-19T05:56:48Z"}, {"author": "Alan DeKok", "text": "PEAP / TTLS / etc. require configuration a different CA store than for web, or a different CA, and then passwords with password formats. It's hard
", "time": "2024-03-19T05:57:23Z"}, {"author": "Tim Cappalli", "text": "If this is a tunneled EAP method, you still need server cert trust, no?
", "time": "2024-03-19T05:57:49Z"}, {"author": "Alan DeKok", "text": "if this proposal isn't completely wrong, the hope is to leverage passkeys for a domain to allow users to authenticate with EAP
", "time": "2024-03-19T05:57:50Z"}, {"author": "Dan Harkins", "text": "Need to do a ZKP with passwords, then the problem goes away.
", "time": "2024-03-19T05:57:57Z"}, {"author": "Alan DeKok", "text": "@tim defined to use the web CA store for this EAP metho
", "time": "2024-03-19T05:58:15Z"}, {"author": "Alexander Clouter", "text": "bring back the PAC for EAP-FIDO/TANGO?
", "time": "2024-03-19T06:05:48Z"}, {"author": "Alexander Clouter", "text": "then the passkey becomes something for bootstrapping, but then its turtles all the way down...
", "time": "2024-03-19T06:06:19Z"}, {"author": "Tim Cappalli", "text": "why do you want to get rid of certificates? They are reliable and do the job.
", "time": "2024-03-19T06:13:04Z"}, {"author": "Tim Cappalli", "text": "Revocation has a bigger blast RADIUS than just network access
", "time": "2024-03-19T06:14:00Z"}, {"author": "Alexander Clouter", "text": "onboarding is expensive, either in time or paying a per-device license to a vendor to do it for you
", "time": "2024-03-19T06:14:05Z"}, {"author": "Alexander Clouter", "text": "for a university, for example, $5/month/device is a show stopper
", "time": "2024-03-19T06:14:34Z"}, {"author": "Alan DeKok", "text": "yes, that's one reason why passkey seems better
", "time": "2024-03-19T06:16:03Z"}, {"author": "Alexander Clouter", "text": "another aim of passkey is that (in theory) the same key once enrolled could be used for multiple devices; but of course this would not apply for software keys plus not many phones take a usb-c passkey directly
", "time": "2024-03-19T06:18:36Z"}, {"author": "Tim Cappalli", "text": "happy to help offline. I'm sure John as well.
", "time": "2024-03-19T06:18:37Z"}, {"author": "Alan DeKok", "text": "TOTPs were all special apps for a while. my iPhone now shows them natively
", "time": "2024-03-19T06:18:55Z"}, {"author": "Alper Demir", "text": "I can try to take notes if you can share the url.
", "time": "2024-03-19T06:25:28Z"}, {"author": "Peter Yee", "text": "Notes are being taken here: https://notes.ietf.org/notes-ietf-119-emu
", "time": "2024-03-19T06:26:09Z"}, {"author": "Peter Yee", "text": "I think we have enough note takers at the moment.
", "time": "2024-03-19T06:26:23Z"}, {"author": "Christopher Inacio", "text": "@Tim Cappalli thanks for the minutes corrections. there's probably room to correct a lot since I'm not really an EAP person.
", "time": "2024-03-19T06:28:48Z"}, {"author": "Jan-Frederik Rieckers", "text": "I usually just go through the recording once it's out and add everything that I didn't catch in the moment
", "time": "2024-03-19T06:29:57Z"}, {"author": "Jan-Frederik Rieckers", "text": "@Tim if you could email me, so we can start a conversation? rieckers@dfn.de
", "time": "2024-03-19T06:32:27Z"}, {"author": "Alper Demir", "text": "which draf to collaborate?
", "time": "2024-03-19T06:32:32Z"}, {"author": "Alper Demir", "text": "You may send email to: akdemir@atu.edu.tr
", "time": "2024-03-19T06:34:06Z"}, {"author": "Christopher Inacio", "text": "yeah, you'll need to watch the recording to catch all of that back and forth
", "time": "2024-03-19T06:34:20Z"}]