Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / 106 / 18 Nov 2019
Internet Engineering Task Force / 106 / 18 Nov 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF106-EMU-20191118-1550

Description

EMU meeting session at IETF106
2019/11/18 1550

https://datatracker.ietf.org/meeting/106/proceedings/

A

Welcome to Singapore.

A

Yeah um just go back one.

A

There we go um anyway, you probably have all seen the note well before, but I'll put it up here for just a second, since it is Monday right, yeah, yeah,.

A

Okay, blue sheets are going around no they're, not blue sheets will be going around momentarily I believe we have a Elliott taking notes and- and somebody do an Jabbar.

A

The I guess the next thing would be working group documents so who do we have up? First.

A

Yeah, maybe Yuri, do you want to just get up and say a few things about aka, or are you ready for that? That might be the quickest.

B

So I don't actually have any slide, so I can put about the 54:48 this and then the PFS document both of its are working route documents. The the base is about to be sent, I, see I, believe and there's been a small update of that, and that is through Joe's review identified that there's a few references that have received in new RFC or those revisions have been obsoleted or the RCS have been obsoleted and so I just replaced them with new ones. So this was for the NAI RFC for Ike v2, RFC I.

B

Think the IANA considerations are C. So that's a simple thing: I, don't have any other open issues at this time.

A

Yeah I'm pretty sure that we've this is document is well ready to go forward. So I'll hit the button after this meeting.

B

mmm

B

And then, on the aka side, there were two updates recently one for the deadlines and then you know more proper updates today few hours ago and there's no huge change, but it included a few things which I am listing here from my notes. The first thing is that we changed the document to do an update.

B

It has an update header at the top and says update 54:48, or rather the the draft that will at some point get an RFC number, because we are extending it, noting that and then I changed the wording around what we say about this document and it's optionality, it's optional, but now it also says it's use is recommended.

B

Basically, based on you know, better security properties, and then there were some somewhat unclear references to the the curve 255 19 and how different numbers are generated. So there was reference to can't remember that OC numbers of hand, but but there's the the RFC that actually defines the curve and then this RFC that uses it for IP to and actually deleted the ike v2 reference entirely from that and just refer to the actual curve definition RFC and simplified some AKA and simcard terminology and made some other editorial changes.

B

So I believe those are hopefully largely uncontroversial things we did identify when Jen and I were discussing. We did identify one remaining issue that we didn't quite know how to deal with so so. This draft defines one algorithm, the curve 255 19, to do things and what it does is that it carries this in in one attribute that defines like we're going to do this particular extension and then there's an attribute, or for this algorithm, this entire style of key generation.

B

And now the question is: is it sufficient to have one algorithm must be already from day. One have to maybe maybe not I'd like to hear opinions and secondly, how do we handle the registration of this number so so now it's kind of like everything's, bundled together.

B

If you do this thing, then there's one number that refers to this particular style of key generation and and this particular algorithm you could also separate them, but then it'd be more attributes and John had also suggested that Mina maybe would be possible to refer to some some other registry of algorithms. Of this, this nature that's a possibility as well.

B

Although I was looking at some of the existing registers and their numbers bases were kind of funny that they were not sort of neatly positive, small, integral numbers, but it was a cosy registry that was a little bit funny in that sense that he googles and negative numbers and so on, but I guess. The main question is: do we need something extra in terms of additional algorithms from day one? And if so, is the current structure of F attribute sufficient or not.

C

Then you take a stab at both of those. The first is by referring the question about multiple algorithms. Over to you know, two more more knowledgeable people who are understanding of what the state of standardization of the various curves are, because, particularly at the nist level, because if you have another standardized curve that I know I know they're coming along, but I don't know where, where they, where they land, it seems to me having a second having a another go to one is, is a useful way to handle failover in in case of a crisis.

C

That's just you know one view of it at least. The second point about having multiple registries is, does having an entry in the registry. What does it imply in terms of implementation if it implies nothing in terms of implementation, then overloading sounds fine if it implies something about if it implies something about an implementation in terms of yeah, you you have to be able to. Man have to be able to support it. Is it an empty eye? Is it an option? Then? Then overloading is bad. Yeah.

B

That's a good point but I think there's a separation between like the requirement level that even if we just write things in in our document, we'll have to say, and even if we have two or three algorithms, we will have to say that this one's mandatory and these other ones are optional or all of them are around Natori. So that decision has to happen. There's a separate thing about: do we actually reuse somebody else's number or not?.

D

You're, not song so I think it would be good not to to specify make the document more general and to support a set of algorithm anon. It's correct to have a state mandatory to implement tree DPP. When discussing Sookie encryption, three people decided to standardize both curve. Two five, five one, nine and P 256 there's also has been in the past. The general wish for treaty people to have now they did not choose that for Sookie, but in the there's been a wish to have stronger algorithm, a able to.

D

For government requirements, government wanting to use celery systems I think curve, because p-38 for would also be good to and maybe in a few traits will be curved for for eight, but I think that would be very good.

D

No yes to support them for as mousses I think code to for among nine as mandatory to implement everything else optional, but it would be good if the document could just the best thing would be if we could take the coastal register or the TLS register, and just refer to that and say look here is how to to use any of these that already and rise. Also for this I, don't there's complications. How do we transfer them?

D

Is there any TLS, IPSec courses specifically, and how do we transfer the identifiers, but these are still for analysis, perfect. That would be in the best. That would be the best option if it can be sold practically so.

B

I, like the idea that we could have one mandatory to implement the current one and then add one or two more and sounds like you have good candidates in mind. So so that's great we can. We can put that in I can talk to you offline and the reuse of the register is still troubling me a little bit because it seems to me that there's, when we add algorithm, is always some specification needed that like use it this way, and it's not just the numbers that that is in the registry, so you actually have to.

B

Maybe you specify also something and yeah it's it's a question of whether we can tests, it doesn't magically add to get added to my implementation. Just because there's an entry in somebody's register value.

E

Yeah I think it's buts, easier to create your own register and use them. Because then then you also you know our control of your registry, so you under end up in if you're using somebody else's register at they say no, no, we don't want to have that. You know we don't care about that algorithm and they don't allow you to put something in there and then you want to we want to and because they.

B

Add, oh.

E

They are add stuff there that it's not usable for you because they say. Oh you have used, is hash based. You know to its own 103. You know megabytes office. You know this public key. Oh, it's no problem in our our call protocol it might. The problem is your yes,.

B

Zones point was like I mean I agree with you that that it's probably lower cost for us to do our own thing, but that Jones argument I think was more like lifetime cost of this it's initially easier, but is it cheaper in the long run? If somebody else does does some amount of work, there's that that's the trade-off.

C

Okay, so this is Elliott again short term long term, okay, short term, clearly I think I'm coming down on your side, long term. This is something that should be referred back to the IAB because it the there are so many different forms of encryption units in so many different places, and so many different registries, if you go through all the Registry's, the stuff repeats itself again and again and again and again and again, and so it would be nice if we had a clearer way in the ietf to do that.

C

But in order to do that, it means that we can't have a lot of customization going on within the individual uses, and that refers us back to John's work right in the TLS 1/3 document, how much Stan how much customization has to go on in TLS, one thie to adapt for ETLs tea, etc, etc, etc.

C

That's the long-term issue.

B

Yeah and your reference to IAB there, this I am ember, doesn't know what the answer is at least, but maybe there's some other IAB members that do.

F

The.

B

Round number.

A

All right, so it sounds like there's, there's some more work to do here in terms of just getting you know and a couple more algorithms in there and just figuring out what the mechanism will be.

A

Thank you all right. Next TLS one three.

D

So this is a presentation of using TLS with using ETLs with TLS 103. It's in version 7 next slide No. That was too fast.

D

There so there's been two updates since the last IDF, based on. Oh thanks, based on the post working group, last call comments. Changes from 5 to 6 is based on support in current Els implementation, especially OpenSSL. So OpenSSL does not support sending the empty string as application data, even if it's allowed by the oil sea. So to fix this, the epls rod was changed to sending a bomb byte of zeros.

D

Now it was a big tariff occasions that the server must the client must send single byte, but the server must accept everything quite standard. Then there is yeah.

D

Another changed also based on open TLS is that up until s does not allow the server to send early data in the server hello which is allowed according to the RFC, but not implemented in open SSL. So we updated Roth to also allow sending the commit message in a separate message: that's and then between 0 6, &, 0 7 was a review by Jim, mostly editorial and clarifications. The commitment message is now called commitment message everywhere.

D

There are some privacy considerations on padding and listing that TLS 103 has padding and recommend its use. Then there is additional references to the TLS 103 or C on security considerations and clarifications, and there is a reference to the now working group adopted, dropped, ITF emu so about certificate used an informal reference. It does not depend on that next slide.

D

The only remaining issue that has been debated on the mailing list, most working group last call it's.

D

Where did he allow ETLs 103 with PSK and, if yesterday, to answer how to allow that so they're, starting by a comment by two months ha that EPA EPS K does not provide any identity protection and does not provide perfect forward secrecy and he suggested to allow PSK in eap-tls damn. There was some discussion that EAP password provides perfect forward secrecy, but a password is not really suitable for IOT devices.

D

So I think that's we end our UT use cases or where people has been on. The list has been wanting to use PS k, authentication last lately on the ITF list. I think most of the comments have been positive to doing this has been wish to use this in IOT use it in T and so.

D

So, but if we should do that- and the question is, should it be, should this PS k use the same method number and should it be defined in the same document on the first question? I would say: yes, I, don't think it helped having it the same in different number. The second I think a new document would be the preferred I. Don't think we should wait for this and I think we need time to discuss any issues here. Yeah yeah.

G

I mean important thing to understand with this is that EAP TLS is used in very high security installations, where additional modes are not just a bad idea, they are forbidden.

G

Okay, so, if you add this stuff into the RFC will get it banned, it will not only not get implemented, it will be forbidden to be implemented. So don't start messing with this and adding it like a zillion additional authentication modes. Do it separately because you're talking about extremely high security installations, which will not allow PS case and other stuff and adding a zillion modes which have never been implemented and never tested is, is an attack on on on national security. It's not.

G

This isn't like an useful thing to do it's very negative and we can we're going to end up for bidding this RFC from ever being implemented. If you do that.

C

So Bernard this Elliot. The reason that this whole conversation came up was that we're we're working out actual operational flows that we need for IOT right and for fallen boarding, and so that we see the value in using TLS PSK. It's defined right. So the question is: why can't we use a mode that already exists.

G

Another code point for it, that's fine, but if, if somebody's the point is it was forbidden in the original drafts, it was forbidden for a reason it was because it there was. There were security proofs that were required to get it deployed. Those proofs are been validated by what you're, adding here, okay, so so people wanted to do very specific things, and only those things and, and only those things were allowed for those particular installations. There were very high security certificate. Based things want to do something else. Just get another code point.

G

Do it there, don't add all of these all of this additional stuff which will and that it'll invalidate all the security proofs that are there. You know cause a ton of problems and because of that, you will have to be banned. So this stuff I mean you're just going places that you just don't go there just get another code point and you know do it separately, just so. People who are people who had negotiate this particular code point know exactly what they're getting.

C

That also implies is that any sort of new definition within a clientele that the tls people divine means it can't be re-employed here without without further being standardized.

C

Well. Point in where, in which? In which show.

H

Okay, do everyone just.

D

So the document currently says that external PSK is forbidden, so my suggestion would be. We keep that and discuss PSK in additional draft. Then people are free to implement that if they want to.

C

The other alternative is to simply add the code, point right and discuss it in this draft. So don't we don't have to constantly revisit I'm sorry, so we don't have to constantly revisit ETLs again again.

I

Mohit, no hat so as author I think it's it's non-trivial to just say: yup es case are allowed and we are done with it as you, as we have seen from the discussion on the list. There is all these questions about what identities to use whether PS case using epls with PS case. Should we allow resumption tickets and resumption PS case. So it's not a done deal personally.

I

I'm fan of small modular documents, I would favor so I agree with Myrna that probably having a different method number makes sense, anyways or type code and then having a separate document and figure out the issues, as we kind of implement this, because currently TLS PSK at least is not implemented in in the open-source WPA supplicant. So, as we learn along the implementation, we will probably need to make make changes and there's no point holding on to the TLS spec until that.

J

Own forces confirm authentication piece: kids are fine with any TLS. It's just the X T external off Pierce case need to be split out.

J

Sorry, a presumption, PS kazar find extra are fine in TLS 103. Those are fine, that's absolutely fine! Okay, it's just the external piece case need to be split out. Fine.

D

Okay, yeah seems to be so CS any is to use a different code point. No objection to that. It seems still a little bit discussion whether it should be in this document will not. Okay.

A

So, let's just just want to check the room. Is anybody opposed to using a separate foot code point for a pls PSK.

A

Okay, so I think that's part, that's a good direction to go forward with the next question would be whether do you use the same document or a different document we can take.

A

You can let's take a hum here. This is something I'm. Pretty sure we'll have to take to the list. First question will ask is if we will use the if we should cover EP SK in the same document, and the next question will be. If we should, you do TLS, PSK and a different document so hum. If you think we should do it in the same document.

A

If you think we should do it in a different document,.

A

Pretty pretty close so I think well, we'll.

C

Have to have some discussion on the list, but Elliot yeah, so there's a reason why I think we should do it now deal with it now, because Alan and I, and a couple of others have gone through all the effort to sort through these issues already on list, and we we've done all. We've done a lot of the work we're coming close to closure on it and so to spin up another document to have to do it has to causes two problems.

C

The first of all, it's a lot of work to spin up a document for this. The second issue is that I think about it from my reader standpoint, which is okay. Great now, I have to essentially I have to come, reconcile two documents to figure out how I'm going to do my implementation and I think that's actually more complex from even having a single document. Oh.

J

And I'll give one reason why I think it could possibly be a separate document, and that is, we will need some guidance from Matias working group and pasta dinner after this one, two three to give some implementation guidance on differentiating between presumption and authenticating PS case and getting that guides from TLS might hold up this document.

J

Yeah own freedom, okay,.

A

Not I mean we can I think that we that should be brought up in the TLS working group. I, don't know if we, if you have you guys done that I'm, not sure if you'll get the guidance you want, but if we should be bringing that up. If you you know, you can post an errata or spring it up on the list.

I

So I agree with the one also I don't want to publish an expect which doesn't have implementation. So if you are going to wait until the TLS PSK implementation has move forward in WPA supplicant this, we would basically hold on to the TLS document as well, which is more or less ready to be shipped. So that's another reason why I want to do it separately so that we can have some time to implement and learn from that. It's one thing to say: yeah.

I

We have figured out all the issues in the draft, but I'm pretty sure when we actually sit down to implement. There will be some some questions that that remain to be answered.

A

Okay, were there any comments on jabber, it's okay, all right. It's so I think we'll continue discussion on the list of both resolving the issues with PSK mode like the identity issues, I think are primarily the issues and then also work through this separation of the documents or doing it at one document.

D

Yeah second bullet went by it should survey, allow authentication with both certificates and external beers case. This is just a draft in TLS right now how far it has progressed, but probably a later question, I, not clear that that is even forbidden in the current epls.

D

Relationship between identity and I, when using external PS case there, there has been quite a lot of discussion even suggestion in the on the list. As yes, gender seems to be a greater poem that when using external PSK, you should also provide a realm that can be used as an anonymous nigh and then discussion, I think no clear answer. It should be distinguished external PSK from resumption PS case.

C

John yeah on the point relating to providing an anonymous nai with with PS k, so Alan and I went around on this couple times. The issue we have to be careful about is you can't always use that anonymous, nai you have to, or it's or I'll simply break frederick federation. I'm you have to be somewhat circumspect as to how you use the anonymous nai so for enrollment purposes.

C

Maybe you need to do something along those lines if you're talking about t p--, for instance, but you can't if you're already enrolled and you want- and you want to essentially use the nai to route on then, which is not an unreasonable thing to do. We do it, but if that's the pretty massive use of eep at this point, okay, I just use an anonymous nao and this actually impacts eat new. It back steep and a few others too. Yeah.

D

Actually, I think to the current text in the EPL s103 document says that anonymous nie is, you must support recommended to use, must use privacy friendly identifier, I think that would apply also for choice.

I

You can still do Federation and routing with anonymous nigh as long as the realm is correct. So if you have ever used at your home, there is a field where you you put the anonymous knife. As long as you put the correct domain part in the realm or in deny your authentication request, will get routed to the correct server side. I, don't I think there was an incorrect statement to say that you can't have anonymous nice because you need Federation and routing sorry.

C

Sorry, what I meant to say you know he's right. Well, we're there's a separate discussion and I mix them up. There's a separate discussion going on about when to use a standard realm identifier and that's where things can break Federation, that's and so you're right, you're, absolutely right! You can use anonymous any.

D

Fourth bullet is to distinguish between external PSK and resumption PSK and officially and be any guidance, I think the it might be hard to control both of these external peers case. You might have control of might also come from some other source. You might want to reduce existing identities in the organization and derive identities.

D

From from that, the internal resumption peers case are typically decided by the TLS application, so the EAP implementation might or might not have an influence on that, depending on how much they want to reuse or me mess with a TLS code, but I think these are both. Of these things are things that should be discussed, but I don't think we can end up in any must look like this. It's more like guidance.

E

No.

K

Our Dan Harkins already done with this slide after yeah, so you mentioned the CFR G is working on a pig selection process. So if we do separate things and have T, let's 1.3 as one document and PSK is a different document. Why don't you want to wait for the PSK one and just to do a peg, because it's.

D

Probably a heavy and not very iot friendly for small devices. I are.

K

You gonna do it diffie-hellman in the PS k. Yes, then it's not bene. I mean it's like a diffie-hellman and a half to do. Okay, yeah a balance, pay right! You could do something, that's considerably more than a diffie-hellman and a half, but I mean I I. Think would behoove this group to wait a little bit to do the right thing, because, even with doing it diffie-hellman it's still susceptible to a offline dictionary attack after an active attack, so I think using a pig would probably be a really good idea. Yeah.

D

I think if you use, if you use password with the PSK brochure, it's weak, I think passwords MPs case or some sometimes people misuse it, but otherwise it's different use cases. You have PSK in IOT, where you have some, so you have some distribution system of these PS case and that's secure them. When you have human involves setting things up, then you have passwords yeah.

E

Forgive me I was about to come at the same thing. A PS k is PS k, businesses say it's appreciate key, it's not password yeah, it's a strong, long, entropy and in the IOT environment. It actually might be that in for lots of the other environments. It isn't so that's why I think that there is still a use for especially in IOT environment for EAP, a PPS K in that case, because it might be even even if it's a little bit only foster. It still might be enough. There I.

K

Think we should all disabuse ourselves to the notion that you know the guidance we recommend in in the security considerations of an RSC is how it ends up. Getting used and saying. Well, PSK is a PSK and on a password, and therefore people will use PSK with PSK eat a big, long giant strings and not not with passwords, because we know that they're not going to do that. People use the tools that they have and they sometimes use them wrong.

K

So if we come up with tools that are misuse resistant, then it doesn't matter if they use it right or wrong, because it's still gonna be strong and that that's the point.

E

We can't prove to idiots I mean if they use make me a tasty code as their password. It doesn't matter if our if using pay core PSK, if the part, if the password is same for everybody, I'd known by that you know everybody so so I mean it's, nobody follows or of any of anything. What's right, we are, you know losing anyway. If they use weak passwords one letter passwords. It really doesn't matter whether you are using fake or PSK. Alright,.

K

Ok,.

A

Let's.

L

Let's.

K

Not make arguments from an absurd position, you know the absurdity of somebody using a one. A one letter, password you know is, is not not as a serious argument. So what ok.

A

So we have a little little a little more discussion to be had on the PSK topic.

D

But I think if we decide to have the PSK in a separate dropped and I think the the EPL s103 draft is ready to.

A

Proceed I think, there's still a question on identity still. We need to make sure that that's clear and there's no ambiguity and in there, even with certificates, so I just we want to make sure we verify that what.

D

Questions that.

A

So how you know what what goes in the identity field I mean. So there seems like there's still confusion and Elliott was bringing up. There may need to be a specific identity format, so in general the document does not really specify I.

A

Think the NAI, so I think it needs work. I, don't have the specific right here so but let's it may be fine, but we need to make sure that it's fine, okay.

D

Can we I? Am you only see the atom in four PS km for certificate? Extensions, I, don't know if there is something specific for each LS. In that case, we should make sure to very concretely take that discussion on the list- yeah, okay, next yeah, so this is about certificate handling and I have serious slides on this.

D

This has been no comments since the last time and no updates if I interpret positively, the draft is done and ready to proceed so I would see, as the working group last call, if any at least that forces people to review.

A

Just has anybody reviewed the latest draft I mean I, don't know if it's changed at all, but.

A

Say well we'll begin our working group last call sometime after this meeting.

A

How can you put yourself in the queue you're up.

M

Sir.

M

Coming through okay, yes, excellent, okay! So on this is just a summary.

M

My thoughts on identity, so as you're saying earlier, the the current epls document is a little thin on the use of na eyes and when and where. So. If you go through, go to the next slide.

M

There was some discussion: I had sent a long email to the list which I couldn't find in there in the list. Archives. There's. The short summary is that we should I think we should really recommend using the anonymous any eyes everywhere.

M

Clearly, people should be allowed to do other things if they want, but then it won't be compatible with roaming, which is a very, very common use case. So if you go to the next slide, there's some additional discussions, so this is sort of the summary of which identities are where you have the username, which is used in triple-a, routing the eep respond, slash, identity and then the PSK identity or certificate common name which is commonly used in TLS they're, often the same. They don't have to be I.

M

Think we can agree that the eep identity and the username have to be identical on their requirements in the various Earth's needs to copy the EEP identity into the user name field. So if we go to the next slide,.

M

Common practice is that the EP identity is derived from the common name for certificates. A lot of you eyes also allow people to enter an explicit outer.

M

Username for P TLS or R, or T TLS, with TLS 1.2 SOF identities, exactly the common name, because there's the certificates, they're, usually public for TLS 1.3 key identity should be anonymized. So we can say that generally, instead of having the user configured two different things on, we could just say the comment. The EP identity is derived from the common name by using the realm portion, so it's routable and maintains user privacy. So next slide.

M

So for PSK identities, whether or not we allow ETLs use PSK for pre provisioned PSK identities, we can recommend using the NAI form when we know that works or if there's a need for identities which do not match the NIE requirements. We can just say people use whatever they want for the PS key identity and then separately use the NAI for the eep identity right. So the idea here is: it doesn't really matter what the PST identity is.

M

We know that the anonymous Nai you always works for routing I'm super go to the next slide and resumption. The eep application doesn't necessarily control the derivation of the PST identity for a resumption. So it's safest to assume that it's just it's opaque blob, which is not utf-8 and not an nai and therefore cannot be used for the EEP. So again, we're left with and nonnamous nai, which then allows the assumption to be routable and decouples routing from the PSG identity.

M

So we can use different identities for every resumption, which gives us some level of privacy, even though the MAC address is usually they're always the same, and then it doesn't affect. Read ability of the packet? Some of my earlier comments were that the resumption session should use the same EEP identity as the original authentication.

M

So if you're using an actual username for the original TLS authentication, it's probably a good idea to use an actual username for the resumption simply for consistency. If you use the anonymous nai everywhere, then you should just use it everywhere. So next slide.

M

So yeah we assume that generally medication will be routed if it's not being routed and identities, don't really matter and people can do whatever they want, but in general it's good practice and people pretty much always do this nowadays, even if the requests aren't routable, they just use the anonymous na eyes everywhere and I guess the the my recommendation haven't looked into this is is I, think the EEP TLS draft should be clearer as to which nai it's so which identity it's recommending and why and I think it should recommend the anonymous nai everywhere and I think going forward a litte a little bit the TLS 1.34 other you types documents would probably also do the same thing.

M

That's it for these slides. If we go to the next one, I think nope I think that's it questions comments.

C

Alan, it's Elliott, I, really mostly agree with pretty much everything you said. I had a question about handling normal TLS certs. If you go back to like that, that slide not PSK, but just the the other other form of a is your presumption that there is something that approximates a realm within the cert.

M

Generally is the common name and people use that, but you know, based on other discussions on the list, we probably should have a separate nai realm, o ID in the certificate too, and then that can be used for the anonymous outer identity.

M

That's a whole effort discussion as to where that nai, which which field of the cert that nai comes from, is a separate discussion with I for now I'm just waving my hands and going it's in there somewhere. If the search says it's for example.com, we probably want to use example.com in the identity as an anonymous realm.

C

So the reason I mention it is that there are some implications here relating to I Triple E 8o, 2.1 AR, which has no such form as I as I, understand it, and so I like your answer earlier, which is just use anonymous na eyes. But what, if that, has other implications? We should explore them. I.

M

Don't think it has other anonymous implications. This is really the text on this slide is really more just background as to what people mostly use now in the common on derivation, the common practice, and after going through this and sort of running down the checklist of all the different possibilities, everything comes out with use the anonymous nei, so I think that should be the recommendation in depend. Why it's worth having an explanation, but it's worth also just having the recommendation of you know just use the anonymous nai everywhere, always no matter what.

D

Yeah you're, not sorry, you say that it should be a recommendation, but the EPL s103 draught will already have a recommendation. It says that anonymous knives are mandatory to support and recommended to use so I. Don't I, don't really see concretely what you are when we think for this certificate use case for the biggest Kay use case. You have local other.

M

I'm speaking as an implementer I I guess, the text on identities is buried inside of the resumption section. So it's not clear that for normal authentication you should use the anonymous nai I. Had some tax I sent to the list, I think I also open a github request. I think it would help to have a separate section in the document saying identities which you can then discuss. Hey some certificates have these identity, some don't for resumption.

M

In any case, for this list of reasons, here's why, for ETLs, the eep identity should be the anonymous nai realm, because I guess for me it's it's not clear. If that text is buried in the resumption section, it's not clear to me as an implement or reading this, that this field, which is separate from resumption, should have a particular value for particular reasons. Sure so.

G

Mobile mic resistant, which is that you know at in some systems. I have seen the radius server, make different suggestions of different methods for different people right. So what that means is that there can be more than one I done more than one anonymous in AI used by our an organization say they decide. I security users are going to all be forced to use the apt. Less and lower security users use something else, teep whatever, and it's worth thinking that the the AP identity right is not method specific.

G

It's for any method, so we're really talking about here kind of upgrading privacy for really everything not really specific to EB, TLS and I. Guess. My point is that when you're asked for an identity, you don't necessarily know what method you're going to use so saying this is this: is the identity you should use for EB atilla's? Those are not necessarily correlated with each other. Oh.

M

Okay, yeah I mean to a certain extent, yes, but I think we still need to have some recommendation for the implementers of ETLs as to when they're trying to negotiate TLS. They need to have a have an initial starting point for the identity and that's where the recommendation of this anonymous nei comes from.

M

Okay, I think that's. It then.

A

Okay, thanks I think we'll have some more discussion on that.

I

Allen I, guess it's it's still you so. Can you join the queue.

M

Yeah, okay, I, don't have a lot to add on this document. I think there's just one slide. If we go to the next one I think the documents. Okay did get a response from Microsoft supporting this approach for peope. It's not clear what to do with fast.

M

The text in the document is sort of my initial stab in the dark, but it would be good to actually have some review of that for fast and maybe something from implementers saying that this works and there's interoperable but I, don't think anyone's really done much of anything with with fast and TLS 1.3 I think based on discussion on the list. The T pop dates probably belong here and then I think the document should be published close in time to the ETLs document.

M

I know the the response from Microsoft was that they wouldn't touch anything including epls until they could rev all the other TLS types or TLS based EGH types. I know that e TLS is implemented for TLS 1.3 is implemented in WPA, supplicant I, don't think, there's been any progress on P port or TTLs they're. The same thing in my implementation, mostly because we're not really sure what to do so.

M

If we can get some additional feedback here and I think we can get the various open source people to update everything and implement everything, and then we know it works. I think we just need consensus from the working group that, yes, this is okay and we should we should be moving forward with this.

M

Questions.

A

So are you? Are you in touch with folks who can help with teep information, because I think that's been a common open issues that we have some errata still open and there's been some discussion, but not quite enough and I know folks, are talking about implementations want to make sure that we have the right folks involved so that we can get the document updated in a reasonable amount of time. So the word out to implementers yeah.

M

It's basically what's what's been on the mailing list. I know, Microsoft was saying that recently they have I believe they have teep in recent previews.

M

But yeah there's been no sort of coordinated effort from implementers to get in a room and go. This is what we've done. Let's check that it works.

M

It's mainly just discussions on the mailing list going I think this is what we should do so I think I'll trying to reach out to people behind the scenes and try and get some no on-the-record statements, but that might take a while in the meantime, I think the documents, mostly okay.

M

My inclination is that, given that peep and TTLs are more widely used than teep and easier to update, if there's any concern of a teep that causes delays of this document, I would prefer just to drop fast and teep and just have a reference of you know. This is what we think might work, but we're not really sure and then read it later, so that we can. We can rev TLS and teep, so int, TLS and peep all at the same time, which, which are extremely widely used.

M

I.

M

Don't see any discussion on that.

A

Okay, so I think we'll bring this to lists. We probably sure to have a discussion if, if it would help to get either having a virtual interim, where we get implementers out together in the same room or the same virtual room, if that would help to kind of work through some issues, I think.

M

That would Thanks.

A

Tomas.

L

Yes,.

L

Can you hear me yes,.

B

Okay,.

L

I'll give an overview of e noob and next slide. Please so I'll start with a quick overview of the protocol, then the draft status and then at the end, I have a couple of technical issues that may be of interest. One is how we use deny and then about roaming. Okay. So what problem does a be noob into soul? Well, as we know this currently no out of mana indication method for EAP and the need for this method has now been identified in the new charter for the working group and ap.

L

Noob is one solution for that problem. Next slide and.

L

As a quick overview of the protocol, it's an EAP method for user, assisted, out-of-band authentication.

L

For example, the user could scan a dynamic QR code or endeth tag or read a blinking light with a mobile phone to deliver the out-of-band message between the peer and the server, and this is a bootstrapping method so that when the out of band or the dictation takes place, the device is also registered at the triple-a, and then it could that registration will later be used for a fast reload indication of the pre of the register devices so that no more user interaction or other bad communication is needed. Next slide.

L

Here is the architecture picture also as a reminder, the main trick here is to do in band communication over EAP between the nudie bar and then the triple a server and do most of the communication in band /, EAP, cryptographic, handshake and then have one user assist the elder and methods to authenticate that in band key exchange- and this idea has now been copied by some other specific agents, and maybe I should just to advertise and remind that this origin is, the idea is originates from mojits PhD thesis.

L

Ok, next slide.

L

The state of the draft is such that we have worked a few years on it and on the implementations and modeling verification, and the current draft number is seven next slide.

L

There have been no major updates to this version. The main thing is to update the sample messages so that they are up-to-date with the specification text and also have been tested with the implementation next slide.

L

So here is a summary of the draft status. I think it's pretty mature. Now we have two implementations. There is the implementation for WPA, supplicant and hostapd done at other university and then kentucky implementation, mainly at University of Murcia in Spain, and then we have model the protocol with formal, modeling and verification tools on one hand, the protocol state machines and in our service resistance properties, and then the security protocol and authentication and I think once the new charter updated Charter is confirmed.

L

This would be ready for a working group adoption and maybe, if we can agree on that, then that can be confirmed on the mailing list after the rich artery is complete.

L

So this was the update on the protocol on the specific case and then I still have a few slides about the kind of the core take more technical stuff.

L

So next slide please, and you can still go one more and first about how we use the NA so because the device initially here is not registered with the Triple A, it doesn't have an IE, and for that reason we use this generic nigh and especially the generic real, which is currently EAB dual of MIT, but I understand that it's better to use reserver dot, ARPA domain for this purpose and why we need this generic realme that is used for routing the EAB, noob or EAP requests from the new unregistered peers to the correct triple-a server and normally we would expect the network administrators to select a server for that network and that handles this out-of-band authentication, an interaction with the user and route, the radius for the this generic realm to that specialized server and then immediately in the initial exchange in the ap noob, the server signs appear, ID and real to the pier and after that, those will be used for routing the requests.

L

If there is no roaming, then they can continue to use the generic real man, but the usually I guess it would be good to assign realme for roaming Persis. So this is how we have solved this night problem with the unregistered devices in the beginning and then next slide. Actually, you can go one more if I use the picture other than the text, so I want to explain a roaming question or a problem, how we handle roaming and then what still hasn't been done about it?

L

Okay, so here is the first simple roaming scenario: we register the device at home and I use here any room between a couple of universities as the example next slide, and when PAP newb is used for authenticating and registering the device it initially uses this generic real man ID and then the local Triple, A or a specialized radio server for the AV noob will handle the CLP loop, authentication and next slide as part of that process.

L

In the initial exchange, the Triple A assigns a peer, ID and real OMA to the device next slide and later the same device. If it moves to different parts of the network, it can use that assigned na for roaming just as normal. There is nothing specific special about this, and this works well with the current EAP noob specification.

L

So that's the kind of roaming that we currently support, then in the following two slides I want to talk some kind of what could be done so now here is a user who is already at the other parts of the network and not in the whole network and in this for a network, it's wondering when it has just purchased. The first device is wondering why it can register that next slide.

L

The problem they have is that we would need to route the radius requests from this forum triple-a to the home triple-a, and then, if that was possible, then we could do the authentication with the EAP noob, but because the device now has the generic ID and realm', it cannot really connect your home or the load. The foreign triple-a doesn't know where to route this request: where does the user want them and we don't currently have a technical solution then next slide?

L

This is the final slide, so the we think that there could be some mechanism for the user to interact with the foreign triple-a. Let's say a webpage where it can request routing of the radio requests for the new device to the home triple-a, and that would enable registration of new devices while roaming, and this only needs to be done once and what then, when the EAP new Association has been created, the reordan dication will again work as normal roaming without any such special interaction.

L

But this is just something that we have been thinking about, but it's not specified how to do this in the EAB noob specification. We just have been careful not to prevent this kind of scenarios in the future.

L

That's all I had.

L

If there are any questions or comments.

N

This is a awarding list from the University of Murcia. I'd have to say that I implemented the contain the evening person for Kentucky I will send a mail with the github project on the mailing list. What I implemented that, with until University great.

A

Thank you a.

O

Vision, wattage area from thesis, research, India, so I have a few comments from different logistics perspective. The thing is that in Bangkok I mentioned that considering the startup community growing in the subcontinent level, what we have seen is that there's a gap in terms of securing this I mean the knowledge in terms of securing their devices properly, so they have good sensor knowledge. They have good knowledge on the basic hardware, but this kind of solution as a plug-in can actually help them for a better service.

O

But the problem in terms of adopting the solution that I see is that when these companies they go to market their end, customer would not like to use anything which is non-standard and also implementation. Wise, getting the the numbers from Ayane is very important, because people don't really like to change nativities inside. So probably if it is technically I mean it is at some stage, and there are implementations already available, open source, probably pushing it for adoption, and standardization might might find a new opportunity. That's all I wanted to say.

C

This is Elliot I, agree that it looks pretty stable, we're not ready to implement yet at Cisco, but others are. What I want to add, though, is I like your discussion about these the and the I we're basically following through tracking that, from a teep perspective for onboarding.

A

Yeah I think right now we're waiting for the aren't their charters, currently an IAS G review. So we'll see what comes out of that, and hopefully once that goes through then we'll be set to it. Adopt new work items.

P

Room engineer has the ad just to kind of be precise, the Charter we were through the internal review of the ice G. It's going for external comment.

Q

And then.

P

It will come back, I'm, sorry, alright, perfect, so.

P

The practical process in case what we did is the Charter result first comes to the ice tree for a quick look. Are you okay with that? Yes, we're? Okay with that, then, let's go to the community. Is the community? Okay, with that and based on the community comments and then comes back to the is G okay, you heard from the community. Are you now really, okay with it, and then it gets approved.

D

Review.

I

That finished on on the 11th of November, now it should is G on their meeting on 5th of December.

R

Yeah, the the external review period happens just like a ITF last call basically, and then I is she gets checked out, try at it yeah Elliott into the Mike. It's on the teletype for the final ballot, I.

S

Have been working with a DS who were at some point in that lengthy process able to say you can start operating as if the new charter was in place. So maybe we can reach that at some point. I, don't know if you are there but Julia. You can just say that and in.

A

Pursuit I mean I, think we're we're pretty close. You know assuming that once once it goes through, then it I mean I think we can wait for the teletraan. I don't think we kind of have holidays in between then but yeah.

P

Sorry, sir, just checking gates it's on the teletrac for December 5th. So yes,.

Q

In.

P

Two weeks so the.

A

End is.

P

Near for you know, figuring out the closure, all.

A

Right, let's move to the next presentation, which I think is Burt's key.

A

Can somebody do a little ether padding taking some notes? No we'll fill them in okay.

C

This will be a pretty short presentation. I hope next slide. Please all right! Well, these so we've only been subtle to small changes to eat deep risky, but larger changes are coming. The first is that the doctor that all the diagrams have been simplified. There was a lot of hopping over things and where didn't we're in the swimming line diagrams from UML that didn't need to happen, and so we cleaned a bunch of that up. So that's done.

C

We've done a bunch of rework or over the discussion around nai, which is almost identical in nature, to what you just heard from noob, and in fact what I'll do is I'll to compare text there, because I don't see any reason to be inconsistent with what noob is doing that seem. That seems about right.

C

The last round of discussions we we've realized is that at least thanks to yoni there's a lot of there are a lot of errata open on teep and so there's a lot of work that needs to get done so that tip can be more broadly implemented, and so a couple of things are happening.

C

I think here I think we want to broaden out the this to a teep update, maybe even de-emphasize the brewski part in this just make it more of a Jenner generic teep update, but also keep you know the additional opcodes titl bees for brewski, and so this ties to a couple of different things next slide. Please so here are all of the errata 14.

I

Might so I just had a very short comment on on this doing the update of deep and brewski. So what I apply to my own drafts? I I, don't ask you to do anything. What I don't do myself so I kind of recommend it to myself to split the PSK part out. I would kind of recommend the same thing to you to put the brewski part in a separate Draft and fix the tea Parata as a separate document.

I

The reason I'm saying this is because now teep is finally getting implemented in in Windows and and in other places and which is very nice and we should kind of fix the writin in in one document and I'm, not sure if, like all use, cases would use brewski and, like my Windows laptop, probably won't come with I'll divide, eaj, divide, E's and so on. So maybe, as I said, I'm a fan of small modular document, so maybe splitting them up makes sense. Yeah.

C

And I tend to think of it as the opposite actually Mohit, because from an implementer standpoint, if I have to end up reading a hundred documents to implement, implement, teep or actually they're peeps, not the worst offender here. But there are a couple of protocols in the ITF that are really bad because you had to really have to sift through a lot of documents. I don't want to start down that road. If we can get.

C

Many of these are I, think relatively simple changes and nothing should require that people have to implement a brewski opcode in the process and that's part of the rewrite would be that you just don't you don't make them mandatory. But if you do here's what you do, yeah.

I

I should have added no strong opinion, so I leave it for the best of your judgement. Yeah.

C

And there are a couple of things here that are well outside, say the voucher aspects of ruski that probably are worth capturing and teep that we that just got missed the first time around. So, if instance, the get CSR attributes function that that's in that's in brewski, probably is something that is needed more in an EST log function, which is what teep tracked, and so you probably want to keep that one way or the other. Even if, at the end of the day, we decided to drop all the brewski, the rest of the voucher ones.

C

There are other aspects here too, which is if we're going to open up t p-- Draft. There may be a couple of other tlvs that we want to add in any case, I'll come to that in a moment, I went through all of the the the errata, and some of them are really straightforward. Right I mean you have typos in various places that sorta caught, for instance, and some of them are also really rather simple clarifications.

C

So you see where it says, accept, accept accept these are just suggestions as to how we might proceed in a drought in a draft update, not something we have to decide on today. But you know a rough cut of where I see things going.

C

There are a couple places where the the there's pretty involved discussion that you Oni provides, especially when it comes to some of the derivations and that those those really do require more discussion when it comes to tea.

C

Some of them are, you know, relatively simple, like relatively simple clarifications like when to make sure using intermediate results when you're actually used when you're, actually processing intermediate results and don't try and return the the crypto binding instead, because the intermediate results, I think includes essentially the same crypto bonding functionality.

C

There's like no nice text, there was I felt pretty close to accurate. There was like corner cases there like, but what, if you're, actually finished, then you actually do want to do the crypto, binding and- and he you know- that's it's just small word word smithing along those lines.

C

So I think these. These are the list. It's not a huge list, and it's just something I think we could knock through over the next couple of I want to say next couple months, we're probably it's going to take a couple of cycles. The meetings actually to make sure we're comfortable with this next slide. Please, okay!

C

So these are sort of the new TTL visas that are in there already and then I think we just go through and sift and decide which ones are useful to keep which ones are which ones we might want to add and I think this also ties quite closely to the onboarding discussions that we're having as to how we bind to various onboarding mechanisms before you even get to eat so for this purpose, what I'm suggesting is that we slow roll some of this and if it really slow rolls, then I would have to agree with you Mohit that we would want to separate out the clarifications.

C

But if we're not gonna, if it's not going to be too slow, then let's just proceed and see how far we get so I think there's one more side right, so yeah there's this interaction aspect. So how does teep interact with other 802 11 capabilities and EPP in particular? How do you do network selection from wireless and how you bind from a DPP, applicator Madi, PP transaction into t p--?

C

If you're going to do that, and some of that has to be worked out architectural and this ties to the discussion that we've been having about you know: how do you how these building blocks look together and what does that mean from a from a? How do we discuss that at the IETF, so I don't want to blow up the you know this into a huge issue. It's it's really, not I, don't think, but we are tying. This is a little bit bigger than just teep next slide.

C

Okay, so you know, one of the things we can do is just have a section that goes through and accepts you know or provides an update on on how we deal with the errata. Then we have another issue, which is: how do we deal with TLS one three I sort of like the idea of having that done and the other document that Alan's doing?

C

One of the reasons is that I, don't think, and maybe in Ana's, but there rest of us aren't really TLS 1/3 experts and if we could knock that through and the other document, I think it'd probably be easier, but I'm not religious about that either.

C

So you know the proposal here is less focused on brewski, more focused on update as I said roll. It slow get some more code going. We actually have some code that we've done in both WPA supplicant and in and in the hostapd code.

C

That goes not yet we're ready for release, because it's slightly embarrassing in terms of one or two points and I would rather not be quite that embarrassed, so I think at the end of the day you know, probably in March the document will look a little bit cleaner in terms of how this looks, and that will be. That will give you a good view as to whether or not to adopt it's the way. I see it, and that would be that where I would leave things for now,.

A

One of the things I kind of hope is: we could knock through the errata that we don't. We can resolve the errata without having them in the document and then just write. The document would just reflect the changes right, so that would be fine I.

C

Think come on. Do.

A

That you know kind of in process as we work through, because some of them yeah might take a little bit longer, but many of them, like you say, are pretty straightforward and if we can start knocking those off I think that would be helpful. Okay, so.

C

Here's what I propose then Joe I will take as an action to post it to post these each as an issue right each of the errata as an issue with a proposal how to address I suggest the chairs track them as separate issues right and then you guys have the option of closing or not and- and you know, based on the working groups view and then when once the as as we're doing that in parallel, we can also deal with the other deep work. That's being done.

C

Okay, that.

A

Sounds like a plan: okay, I'm.

C

Done cool.

A

Text.

A

Miss pixel max.

T

Hello, everybody I'm max Paula I'm here to talk about if creds we already presented last time on this, want to provide some updates, some consideration about the work that we're doing with its applicability and what are the next steps that we envision?

T

Please, okay, so problem statement, I work for Kaiba labs, so we have our members, our operators that tend to deploy a different type of networks from Wi-Fi, with public access point to cellular networks, CBR s which is practically 4G and Phi G doing in unlicensed spectrum like multi fire or our networks like the Oxus networks. Right.

T

However, this one one problem that our members always report, it's very difficult to manage to dynamically, manage these credentials for their access networks, and they really would like to have the possibility to change these credentials depending on the risk level that that is that they want to set in the networks right. So today is very difficult for them to have a centralized system that does this across different networks, different technologies next slide and of course we don't use one type of credentials. We use different type of credentials like username, password, secret keys and certificates.

T

So certificate is one of them and you know usually having multiple methods can improve device diversity in your in your network sometimes, and the possibility to switch between between type of credentials and security manages. This credential is not easy right, so we seen some proposals to manage credentials through through EEP, but there's no consistency about being able to manage all type of credentials.

T

We focus mostly on certificates, because this is a very common use case, but we have other use case that involve you know, keys or username and passwords, and especially IOT, is a mix type of type of credentials that in deploy next time.

T

So what are we trying to focus with our work so that work is trying to provide an encapsulation mechanism right so that you can use your own provisioning mechanism? And/Or encapsulate standard mechanism that already exists? Why do we think this is a a good approach right? We work in many different vitamins like that bf, a for example, where they use a different approach. They propose that devices get their own IP address, get in jail. State basically can reach a also server, which is a online sign up server and then from there.

T

Then we can get their credentials and then authenticate to the network. However, you know some operators reported that they don't feel comfortable, deploying these type of solutions, because now you have devices that are not authenticated and they can probe your network because they have IP, so they have relative bility. We think that this solution solves this problem, because now you cannot route your message and it's from a security standpoint of view. It makes a lot of sense and, as before, I suggested also for brewski.

T

We think that, with our protocol being generic, you can have profiles for that for your use case, and so, for example, if you want to implement a full set of standard, you know like est, you can print the full est or you can just implement the renewal, because that's the use case that that makes sense for you next slide, so just very briefly, Ameri quickly. Well, how we organize the EEP creds. We try to provide three different phases for now: the initialization, the management and the validation.

T

The initialization is the part that you can use to bootstrap the process. You can use tokens or voucher that can be bear tokens or can be tied to a key. So there's all methods that you can use for authentication, but basically this the initialization says the device says: oh, these are the credential they have for your network. Do you want to do something with it and then basically, the the server can't start if he wants to I started management, please where you can renew or deploy new type of credentials.

T

It is supported by the device and then optionally verify that actually what the device has corresponds to what the server thinks you should have next time. So what has changed so far? Well, we simplify the proposal because we receive feedback from the from the workgroup. These are documents are very long. We want them to simplify, so they can be understood better. So we we decided well from from the Middle East. They said it's okay.

T

If you say that you, you have to rely on a secure method before executing this, so this this actually helps us because we say well, you have to have a secure channel, but we're not going to go into the description, how to get that once you add that, like, for example, if TLS, if keep or other mechanism, then you can use this method and the we we simplified certain things by removing that.

T

But at the same time we add a new text, because one of the item that was left over was to define one basic protocol that could handle all different type of credentials. I recall now SPP or simple provision in protocol, but it's just a very simple thing, and basically this try to provide one method. So it's not the only method, so they, the it creds is meant to be an encapsulation method and next slide. Because of this right, we thought about simplifying the the document by removing the SPP.

T

We just put it there, maybe put it in a separate document so that it Kratz is a shorter encapsulating method and the SPP can be implemented there or not.

T

Now there are some other things that we might and you might simplify the document to make it even shorter, but I hope we can do it, then the next in the next version of the draft next slide. Of course, I want to thank everybody that really helped us in making the proposal better and also in the chairs, because they charted text has been a longtime discussion and finally, we get we get there yeah. Thank you. So much next slide.

T

So what are what I request here so, of course we're focusing on the use case that makes sense for our members, because this is something we want to deploy in our networks. We also working with CBR s where I think on the 14th was the four released. Three EPs was a lot adopted to manage the credentials for cellular networks for CBR s networks, then we're working also with the wireless broadband Alliance they were interested in to see.

T

Can we use this to provision credentials in their environment and Wi-Fi we're going to present there soon, there's no date yet. So this is some work that can they can go also in the WBA next slide.

T

We don't think that the document is ready for thinking about adopting in the workgroup. We want to simplify that and make some tweaks before before. We think is ready for evaluation, but we hope that we can do it soon and maybe by the night next time we can think about adopting it. This is the reference for the current ID that we have I know it's very in his late and you have the eyes very open. But if you have any question, please.

U

Aha, you know a lot of IOT or device onboarding procedure. Usually we have some Pro provisioning or create credential on the device and we use it for the authentication and for the later network set control. So, but here you propose that we we through the credential provision, you know when the device is, is joining the network. So I don't know the relation between the you know the current method and what is the typical use cases for your method?

U

Thanks for the question so.

T

With the with this method, actually you can still continue to use that that approach in the sense that when you do an initialization phase, if the device doesn't have as some credentials that you may leverage to register the device that happens in the to initial message, so there's two messages in the initialization phase and you can use that that method to leverage credentials that already exist. But on top of that you can, you can decide well I like these credentials. This is the credentials, for example, that were put there for certification.

T

You have an Aussie F device. You have you know some devices that have certification already certificate, but that particular method of authentication for your network. You don't think, is appropriate. Oh, let's put it this way. You want to change so you can. You can use that credentials to register the device and then deploy the credentials that you would like the device to use the next time they they accident or something like that. So think about. You might have a voucher.

T

You might have something that is tied to a key or not, or just presenting one-time token right to register the device that you obtain from a website somewhere. We don't specify that this is outside the scope of the of the protocol, but they are use case, for example, for adaxes network or CB RS. Is you have some sim credentials?

T

You can leverage them to deploy this that you, no other type of credential, like certificates or user name password that in the environment, the same things we're thinking for our next generation of cable networks that we are working on delivering the tangi at platform, and we think that, because they added number of entities that are going to be on our networks, we need to have some form of authentication and credentials, managing that we use treat not only for the clients, the cable, modems and DVRs etcetera, but also for the infrastructure.

T

So this would allow us to have a very centralized system for all our operators, which is very interesting for now. Ok, ok, yeah! Thank you for.

U

The clarification I think in general I like this idea. Thank you. Thank you.

C

Hey max so I think what your there's a lot here, that you're doing that I think is really interesting, because it attracts precisely to this morning's conversation right in terms of how we onboard with IOT I. Have one I have one major concern? Well, it's one major concern, but it's it's a lengthy one.

C

I'll apologize in advance for that which is first of all, it seems, like you, have sort of the the kitchen sink approach here right in terms of there are all these different mechanisms that you're gonna try and reference with an ich ich red.

C

What we are suffering with in IOT right now is fragmentation of all this and I realize you're, trying to defragment by by finding at least one consolidation point, but I'm concerned that with so many mechanisms it actually won't consolidate, and so one of the things that we talked about this morning was: can we distill down architectural II? What is really needed to bind between these? You know the input process for for eep.

C

If you will versus the output process from what came before and I wonder if we want to just take a step back a little bit as we go through that and say: ok can we can we distill this down to something like we discussed this morning as as a you know, something like an EDC sa public/private key pair or something along those lines? Maybe the public EDSA is a little ETCs. A is probably a little too specific right.

C

You probably need a code point approach, and this and I'm not even sure about how to manage the code points in that regard. But if we can distill that down then there's another opportunity here. The other opportunity is that our two drafts merge right and we sort of proceeded forward along those lines.

C

I haven't actually thought all of that through, but I think that's a discussion.

C

We should have and I really like the idea of merging in one particular regard, which is less fragmentation, but as part of that I think we we need to understand each of the use cases that you were attempting to address with all those different enrollment mechanisms- and you know, I- think the the the gentleman from Siemens Siemens are here and in your draft and anima right, you have you, you have to try and chisel down right what what sort of a role enrollment approaches you really wanted to tackle right.

C

Do you want to throw us SCEP and in-ears, for instance- and you know- and I think there are some use cases that they have, but that that needs to be reviewed in this context. So as all as part of this, if we can distill this down, then we can reduce the fragmentation and that will accelerate deployment.

T

Yeah Elliot, thank you for the question yeah. Definitely if we can maybe merge the two proposals, if we you know they both fit, they use cases great, less work and better work and so far architecture wise they. What we are working on is try not to put architecture in this, but lets you decide the architecture. So this comes from. You know the our operators. They usually have some purchasing power for devices so that that usually helps them to have more freedom when they have to decide how to manage the credentials.

T

But, coming to the point that you were saying about the you know, defining all this fragmentation for these provisioning protocols, I totally agree with them. We have that problem, and this is not a new problem. You know whenever you need to implement a provisioning protocol, you have to choose which one which option not that provisioning protocol cetera. That's definitely true.

T

My plan is not to to do this work for every protocols that we have, as I said before, we have a proposal for the SPP, which is very simple meant to be version, not super flexible and like other programming protocol, but sufficient. Let's boot, it wait sufficient for for a good implementation, and if you want to go over and have you know using something like brewskis cetera, you could still integrate that right.

T

The other thing that I wanted to point out this could be used, for example, so- and we talked about this this morning, when you have DPP, for example, they approach that they're using for the personal use in the in the in the buffet to be transported over the enterprise, so we're over eeep by encapsulating the DPP packets on the EP. So you could potentially use DPP also in threep.

T

It's just an example of how this would enable new tools that might make find you in use cases. But so this is all.

A

Thank you. Let's go to the next presentation, which I think is.

V

Ok, I hope, if you hear me: fine, yes, okay, yeah, so my name is john korabik ICA's I'm, currently a student in bremen in germany- and I have submitted this draft yet just as an idea, so you can go to the next slide.

V

I'm working on at our networking, Center in Bremen and I am dealing with eduroam and one experience I had when dealing with eduroam is that the certificate checks on supplicants in eap-tls are known to be faulty and with faulty I mean not badly implemented, but they don't really happen in a way that we should well that they should happen, so they use very unsecure defaults. For example, in android devices there was not really default for checking with Android versions, at least prior to version 7 I'm, not quite sure about that.

V

So the certificate checking was disabled by default. Current androids have this option used system certificates with domain input and not really a documentation. What this domain should be Windows, Mac, OS iOS, they question the user for the certificate and at least for Windows. You just see a fingerprint and no information about the common name or the issuer, so that is a big issue in eduroam in bremen, at least. So. The reason for that is from my perspective that the eap-tls specification lacks a specific method or specific data to determine if the certificate is valid.

V

For this specific use and I think this should be solved by giving the supplicants some means to determine if the certificate is valid for the intended use by in including information into the certificate that is implicitly defined by the communication context.

V

So if you can go to the next slide, my proposed solution for that is to add a new certificate extension that explicitly defines a valid realm for this certificate, for which EAP realm this certificate should be used. This is a big advantage, because the user name is implicitly known from communication context, and the realm can be extracted from that and Cas can validate this if the realm is a dns name and especially in AD Rome.

V

This is true for the realms I have asked for comments on the mailing list and I have some other ideas seen on the mailing list. So if you can go to the next slide, there is RFC 7585. The niín AI realm specified there, which is intended to help with roaming federation contest connections.

V

So this is one idea that was very like the first response that I'm redoing this work here. From my perspective, this could be a solution to also use that for eap-tls, but I. Don't think this is a good idea to just simply reuse that, because it is not the same scope, another idea would be to specify a specific prefix for the subject: alt name DNS name or even for common name in the certificate, for example, eap-tls dot, uni- Bremen dot de for the Union bremond of the e realm.

V

But my suggested solution would be to use this new certificate extension. So if you could go to the next slide, yes, so the feedback I received for that is to possibly just reuse.

V

The OID from the RFC 7585 nii realm, maybe, and that is also an idea that came to my mind after submitting this draft, is to also add a specific, extended key usage for eap-tls server authentication, because currently speaking for Bremen eduroam as well, the certificate we use has the extended key usage for TLS web server and client authentication, and, from my perspective this leads to quite a lot of problems, because it is quite easy if people just type in their username and their password to set up a rogue access point and get credentials there so yeah.

V

This is my first draft for the IDF, so I would be very happy to receive. Feedback of this goes in the right direction. If there's something I have missed. If this is useful,.

C

This is Elliot again young Frederick, thanks for the draft I think this guy is a little bit too. The work that Owens doing, if I understand correctly in in terms of realm identification, I think Owen you're gonna talk to that. Is that right later or maybe not in this room but I think it we we we have. We have looked at at similar issues in terms similar aspects that I think relate a little bit to your acne work and and and so I think they're they're, a couple of things that are hiding out there.

C

What I was going to say is I was a little unclear. The use case, though, in terms of when, when you need that realm and the edger in it available in edge room, for instance, in certificate, is being presented inappropriately elsewhere or they're, not being able to select the certificate for Fred roams use in a context of the Federation.

V

So the the the main problem with a certificate checking is that it is quite common or was quite common for a lot of a long time that users just typed in their username and password and did not select any certificate attributes, and especially with the user interface in Eddy row in Android. This was the easiest way and my aim is to help to get a secure default. That supplicants know exactly from the certificate that this is valid for the intended years.

J

So this is Owen just to clarify what I was talking about. What I'm going to talk about in five minutes. Time is the other side of the house, which is how vacuum can be used to issue inside certs, but this is more relevant for as Brisky cloud, but it's going to come up with a animal it around the week, which is and when a cloud registrar redirects an entity to a triple-a. How does the entity verified the triplicity by dentistry.

G

We're not about Microsoft, so I have a question about how you intend this to be used. Is the idea that you don't feel that the users should be prompted to ok the certificate and that should somehow automatically check the NAI against this nai realm and just allow it is that the idea? Definitely yes, yeah I, guess I, don't know it seems like a very dangerous thing, because what prevents you have assert to claim any ni realm right.

G

They did it like I, my corporation I'll I'll claim I have only ni realm for whatever I don't actually own. It has no relationship to the cert and now you're not putting out the dialog box. So I'm can basically infect the user system with a with a false nai realm claim right. I can I can put whatever I want in there like I'm Joe blows fish shop and I'll claim. You know that I own the NIR realm, for you know and I, say the u.s. gov right and and you'll accept.

G

That automatically is that the idea.

V

Well, basically, the idea is because in eduroam we deal with public CAS, public trust and CAS a lot to help to have this certificate attribute also verified by trusted CAS, so that, of course, if, if I have control over uni- bremond op de then I should be the only one who is allowed to be issued a certificate with the humanitarian de realm. I guess.

G

I, don't we're gonna cut the line.

A

Hold oh yeah.

S

Yeah, just quick observation here: improving the security can be done in several ways here and given that we are talking about an environment in which most endpoints are broken.

S

It's really hard to reason about security, and one observation is that it really helps to be able to build your production system out in such a way that it rejects a larger part of the broken ancestors that are not only broken but also misconfigured. So that's maybe a slightly different objective that we have in mind here. Then you are usually working with.

D

Yeah.

M

So to address Bernards point that that's certainly true but I. Think one of the issues now is the supplicants by default. Don't trust any of the root CAS for epls authentication. They do trust it for HTTPS, and one of the issues is that all of the ETLs server certificates have this TLS web server, o ID and I think it would help if the CAS would issue certificates specifically for ETLs, at which point the supplicants could default, trust all the route CAS and then validate that that certificate coming over ETLs is actually an e TLS certificate.

M

So I think what young Frederick has pointed out here is an issue not just with this particular oh I D, but I think there may be a need for a larger eat practices document as to what the supplicant should do, what the CA should do and I think it would certainly help with adoption, rather a lot, because it'd be very, very nice to be able to say you know: here's my identification I'm in realm X and I connect to some random as as ID hey, I, get a certificate which says it's for that realm.

M

It's signed by a root, CA I trust. Therefore, I don't have to do the whole clickety clickety click thing that everyone has to do now. So I think this is an issue which is worth working on.

A

Okay, thanks, we have to move on to the next presentation. Thank you. Yon, Frederic and I'm sure we'll have more discussion on this on the list. So.

J

There barso I'll be really quick, so the problem that, via an Cisco, trying to solve contacts light, and so what this describes is it's a mechanism by which we can use acne for integrated with multiple different protocols that are used for issuing device and client-side certs next, so the doc describes multiple different use cases how I can become integrated with est, with brewski with the new brisket club registrar, but for parts of most important. So this room is how it competes, grater, with teeth and with tea.

J

Brisky are what's been rebranded as t pop dated extensions for bootstrapping and I think that acne actually requires the extensions. The new TVs that have been defined and the T pop dish, and so I don't think that I can will cleanly integrate with teeth. There's a couple of problems with teeth, as it currently stands, next slide, and so what's changed last presented this so for acne integrations used to cover exactly four subdomains as well. That has been broken out based on feedback at the acne working group.

J

Last last year are sorry last session and that's been attract me just this time around but acne for sub mins. Does it's a very nice integration for for client, side and circa Xuan's?

J

It allows an acne client to prove to be an ownership of a parent domain, and then the client can then send in certificate requests for hundreds or thousands of subdomain inserts after appearance menu, but I haven't approved domain ownership explicitly for each client site search and the brisket Club register use case has been added and there's been a couple of updates to and Elliot's draft and the two most important ones that we've added as a CSR attributes, one on one that you missed in your presentation.

J

Elliott has a retry after TLV and we try after two. They will be really really useful when and the t p-- server once, which were searched to the client but was not willing to do it. Yet it can't do it yet yeah. So next slide and it's what its core, but like the dystrophy. It should only be informational. It doesn't require any changes to acne. It will not require any changes, es T or T RT Popish.

J

What is T and T two is used to antique define and product by which the client can interact with the server, but it doesn't specify had to serve interests with the backend CA and Acme can be used to integrate at the backend CA next slide. I was just over you to flow, so this is. This is boilerplate Acme. This is how you can use acne to M. Do the main claim using DNS next slide. This just bought skip over this? That's just standard Tipton establishment.

J

This is where it gets interesting, and so this is standard teak, but doesn't have the Nu T of these that have been defined in tip update and the client sends in a PK. C is 10 requests to the tip server. Keep server then turns around and sends a Acme new order request, followed by an acme finalized request, fun la followed by the Acme certificate request. Again, everything on the left hand, side the standard, T everything on the right hand, side for standard Acme, no genius.

J

Why the protocol- and it ends up with them the client even issued a certificate that is sent by the cheap server using the pkc as ten people. Sorry, a PK c is seven till the two. The pledge next slide. So the next slide covers it's. It's the new T of these that have been defined in the T pop date. It defines what happens and how our client Lee were just using utilities. So first is the client doesn't know what attributes to include in the C user request, so the client sends and you teach.

J

These are attributes request to the Steep server. That's response so, for example, that could include specific information on what subject to include or hots and to include and the client. Then in step 3 sends pikas. He is 10 T of e to the t. Server keep server turns around and interacts react me. Acme will turn around and say the status is processing I'm not ready to. She was searched yet Holly. She was hurt in a certain period of time. Acme has a mechanism for specifying our retry after interval to the Acme client.

J

The teep server is jack me client and turned around and used the new retry after kill the send that retry back to the client. The client will then retry after that. Timeout has courage, I'm the way that the tip of the attractor is currently specified. It's just two different mechanisms for doing to retry. One is wood in the tunnel.

J

If it's a short control to is outside the tunnel, it was a long interval and that's indicated via either a 1x X or a 2x X error code until V and T TLV and and then finally, after the retry declined. Part illustrator here is happening inside the same tunnel. The client in step nine sends the exact same pkc as ten requests again to the teep. Server. Keep server then goes to Acme and the finalize our ger is ready. It downloads, the certain returns it to the client in the pkcs7.

J

Next slide is the final slide. So discussion of, what's missing from the draft is security considerations. It's security considerations need to touch on all the integrations so EST and brewski and acme and t p--, and but the biggest the biggest thing that I'd like to discuss here and the questions I'd like to get feedback from is because this spans multiple working groups, Acme anima mu. Why do we do with this? Where do we go next with this? With this draft, several people on several organizations have expressed interest in us, but we don't over at lands.

A

Any questions comment.

T

Sir, not really on this point, some other point, a just a clarification question when you do the the translation between the two protocols, how do you handle the account management that is in Acme? So is the account that is used to request the certificates from the temporary server or from the client? Well,.

Q

The tip server is Technic right. Oh okay, thank you.

P

Roman so back to the kind of the question: where do we do it? Unfortunately, I know the sec dispatch agenda is full, so we can't take it there or kind of later this week. So we can start I'm. Sorry, there is still that you're right, then yeah. The question I was gonna, ask is I mean. Would this working group be against doing the work here and we can ask you know acne as well.

U

I'm Francia, just a quick question: is there any relation of this drafter with the bouzouki? Yes,.

J

It got.

U

Its intranet wait with.

J

Brewski well.

U

What would religion so.

J

Brewskis loosened up for ESG, so the actual certain role mechanism in brewski just uses boilerplate est. Yes, um and this can integrate with est and that when the client sends the est simple, enroll or foreign oil message to the each server. Deep server can turn around and turned it into an acne request. Because.

Q

What and.

J

And in fact, if you read the est draft, the eastery draft says that when the server is deployed as a registration authority as an RA, the protocol and the interactions between the RA and the certificate authority is out of scope of the UST draft. So it could be acne. Yes,.

U

Because uh but um but my point is that yeah I understand your point, but that's just the very last step of the Yeomen of the devices. So it whiskeys are mainly about it that you know that from the beginning on here, the est so yeah, but.

J

The only the only relationship is is what's behind that est simple wrong API. What's behind the ECC inferno.

U

Lindy.

J

I could be acne.

U

Map on there did, comparing to other working group, I think the bullski has so little radiation where, if your radiation with your work other may be more related.

A

Yeah I think you know we can do a poll here. I, don't know if that's gonna think how many people have read the document. Okay, three people so I think we have to get a little more. You know people looking at it and you know if there is interest I, don't I, don't think it's impossible to do it in this working group. It doesn't strike me as necessarily being the most logical group to do it in, but you know it I suppose it's as good as any so.

J

I kill one of one of the agenda items for acne this week is, should it be adopted by acne, okay,.

A

So if they adopt it, then that's great I.

J

Take the answer would be no from athlete all right, so let's say and I'll take it to EMU or take it to somewhere else. The.

C

Only reason I think this le the only reason I think you should be adopted here is that it's gonna normally block on the teep update. It's gonna normatively block on the t pub meet so I mean it works happening here. If you're gonna normally block normatively block on something you hacked me, then then it's a 710 split.

A

Okay but I think there's you know more discussion to be had.

W

All right, I.

A

Think that's it for this edition of your email working group, meeting yeah.

A

Hey John, so like yeah, just you know, since there are these questions, I just was unresolved right and maybe it's fine.

W

It's.

F

Not like a big deal.