[{"author": "Tim Cappalli", "text": "<p>Passkeys need to be bootstrapped too</p>", "time": "2024-03-19T05:53:05Z"}, {"author": "G\u00f6ran Selander", "text": "<p>For the minutes, link to Paris Hackathon where EAP-EDHOC is one of the topics:<br>\n<a href=\"https://parishackathon.lakewg.org/\">https://parishackathon.lakewg.org/</a></p>", "time": "2024-03-19T05:53:59Z"}, {"author": "Peter Yee", "text": "<p>Thanks, G\u00f6ran!</p>", "time": "2024-03-19T05:54:21Z"}, {"author": "Alan DeKok", "text": "<p>The EAP-FIDO proposal is largely \"FIDO CTAP\" with the transport protocol being EAP instead of HTTP.</p>", "time": "2024-03-19T05:54:46Z"}, {"author": "Alan DeKok", "text": "<p>with provisioning being done outside of EAP</p>", "time": "2024-03-19T05:55:03Z"}, {"author": "Alexander Clouter", "text": "<p>@Tim this is the difference between 'Server-Side' and 'Discoverable', no?</p>", "time": "2024-03-19T05:55:19Z"}, {"author": "Tim Cappalli", "text": "<p>What user is going to understand this?</p>", "time": "2024-03-19T05:55:28Z"}, {"author": "Tim Cappalli", "text": "<p>You're back to the same problems as configuring a supplicant for EAP-TTLS or PEAPv0</p>", "time": "2024-03-19T05:55:42Z"}, {"author": "Alexander Clouter", "text": "<p>no, as the user just provides their realm</p>", "time": "2024-03-19T05:56:15Z"}, {"author": "Tim Cappalli", "text": "<p>RP ID is rarely going to match the user's realm</p>", "time": "2024-03-19T05:56:34Z"}, {"author": "Alexander Clouter", "text": "<p>we assume the user knows where they work/study</p>", "time": "2024-03-19T05:56:37Z"}, {"author": "Alan DeKok", "text": "<p>the idea is that if the user has a passkey for \"<a href=\"http://example.com\">example.com</a>\", the entire EAP configuration is \"allow <a href=\"http://example.com\">example.com</a> for SSID foo\"</p>", "time": "2024-03-19T05:56:47Z"}, {"author": "Alexander Clouter", "text": "<p>@tim, for this use case it does</p>", "time": "2024-03-19T05:56:48Z"}, {"author": "Alan DeKok", "text": "<p>PEAP / TTLS / etc. require configuration a different CA store than for web, or a different CA, and then passwords with password formats.  It's hard</p>", "time": "2024-03-19T05:57:23Z"}, {"author": "Tim Cappalli", "text": "<p>If this is a tunneled EAP method, you still need server cert trust, no?</p>", "time": "2024-03-19T05:57:49Z"}, {"author": "Alan DeKok", "text": "<p>if this proposal isn't completely wrong, the hope is to leverage passkeys for a domain to allow users to authenticate with EAP</p>", "time": "2024-03-19T05:57:50Z"}, {"author": "Dan Harkins", "text": "<p>Need to do a ZKP with passwords, then the problem goes away.</p>", "time": "2024-03-19T05:57:57Z"}, {"author": "Alan DeKok", "text": "<p>@tim defined to use the web CA store for this EAP metho</p>", "time": "2024-03-19T05:58:15Z"}, {"author": "Alexander Clouter", "text": "<p>bring back the PAC for EAP-FIDO/TANGO?</p>", "time": "2024-03-19T06:05:48Z"}, {"author": "Alexander Clouter", "text": "<p>then the passkey becomes something for bootstrapping, but then its turtles all the way down...</p>", "time": "2024-03-19T06:06:19Z"}, {"author": "Tim Cappalli", "text": "<p>why do you want to get rid of certificates? They are reliable and do the job.</p>", "time": "2024-03-19T06:13:04Z"}, {"author": "Tim Cappalli", "text": "<p>Revocation has a bigger blast RADIUS than just network access</p>", "time": "2024-03-19T06:14:00Z"}, {"author": "Alexander Clouter", "text": "<p>onboarding is expensive, either in time or paying a per-device license to a vendor to do it for you</p>", "time": "2024-03-19T06:14:05Z"}, {"author": "Alexander Clouter", "text": "<p>for a university, for example, $5/month/device is a show stopper</p>", "time": "2024-03-19T06:14:34Z"}, {"author": "Alan DeKok", "text": "<p>yes, that's one reason why passkey seems better</p>", "time": "2024-03-19T06:16:03Z"}, {"author": "Alexander Clouter", "text": "<p>another aim of passkey is that (in theory) the same key once enrolled could be used for multiple devices; but of course this would not apply for software keys plus not many phones take a usb-c passkey directly</p>", "time": "2024-03-19T06:18:36Z"}, {"author": "Tim Cappalli", "text": "<p>happy to help offline. I'm sure John as well.</p>", "time": "2024-03-19T06:18:37Z"}, {"author": "Alan DeKok", "text": "<p>TOTPs were all special apps for a while.  my iPhone now shows them natively</p>", "time": "2024-03-19T06:18:55Z"}, {"author": "Alper Demir", "text": "<p>I can try to take notes if you can share the url.</p>", "time": "2024-03-19T06:25:28Z"}, {"author": "Peter Yee", "text": "<p>Notes are being taken here: <a href=\"https://notes.ietf.org/notes-ietf-119-emu\">https://notes.ietf.org/notes-ietf-119-emu</a></p>", "time": "2024-03-19T06:26:09Z"}, {"author": "Peter Yee", "text": "<p>I think we have enough note takers at the moment.</p>", "time": "2024-03-19T06:26:23Z"}, {"author": "Christopher Inacio", "text": "<p><span class=\"user-mention\" data-user-id=\"4041\">@Tim Cappalli</span> thanks for the minutes corrections.  there's probably room to correct a lot since I'm not really an EAP person.</p>", "time": "2024-03-19T06:28:48Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>I usually just go through the recording once it's out and add everything that I didn't catch in the moment</p>", "time": "2024-03-19T06:29:57Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>@Tim if you could email me, so we can start a conversation? <a href=\"mailto:rieckers@dfn.de\">rieckers@dfn.de</a></p>", "time": "2024-03-19T06:32:27Z"}, {"author": "Alper Demir", "text": "<p>which draf to collaborate?</p>", "time": "2024-03-19T06:32:32Z"}, {"author": "Alper Demir", "text": "<p>You may send email to: <a href=\"mailto:akdemir@atu.edu.tr\">akdemir@atu.edu.tr</a></p>", "time": "2024-03-19T06:34:06Z"}, {"author": "Christopher Inacio", "text": "<p>yeah, you'll need to watch the recording to catch all of that back and forth</p>", "time": "2024-03-19T06:34:20Z"}]