►
From YouTube: IETF111-EMU-20210729-2330
Description
EMU meeting session at IETF111
2021/07/29 2330
https://datatracker.ietf.org/meeting/111/proceedings/
A
B
Okay,
so
you
are
in
the
right
spot
if
you
want
to
be
attending
the
email
working
group,
eap,
method
updates,
hopefully
by
now
you've
all
seen
the
note
well
I'll
leave
it
up
here
for
just
a
couple
minutes
seconds,
but
we'll
now
move
on
to.
B
The
request
so
again
we
have
minute
takers,
jabber
window
is
or
our
jabber's
open
and
people
can
talk
in
it
or
type
in
it,
and
we
will
try
to
relay
those
messages
and
there
are
no
more
blue
sheets,
it's
automatic.
So
when
you're
speaking,
please
state
your
name
and
always
remember
to
try
to
keep
things
professional
for
the
agenda.
We
have
just
to
go
over
this
administrivia
and
then
we'll
start
in
with
tls
based
eat
methods.
B
B
C
So
if
we
go
ahead,
not
a
lot
aligned
it
with
the
tls
one.
Three
draft
based
on
go
to
the
next
slide,
based
on
john's
comments,
use
type
consistently
instead
of
random
variations
thereof,
some
notes
on
session
tickets
that
they
must
not
be
valid
until
after
the
inner
tunnel
off
is
done.
C
There
have
been
issues
with
eat
previously,
where,
if
you
don't
mangle
the
tls
layer
appropriately,
you
can
connect
not
authenticate
with
stuff
like
ttls
and
then
immediately
resume,
and
so
you
have
to
work
around
that.
This
is
not
even
pls
one.
Three.
It's
just
a
note
that
this
was
not
covered
in
the
previous
specs,
updated
section
5.1,
with
notes
on
protected
success
and
failure
indicators,
the
issue
there
is
ttls
when
you
have
pap
or
chap
inside,
there's
no
protected
success
or
failure
indicators.
C
The
only
other
comment
I
would
have
on
this
draft
is
some
text
I
posted
to
the
list
the
other
day
based
on
random
unnamed
vendors,
who
decided
that
we
should
use
anonymous
identifiers
inside
of
the
tls
tunnel,
and
perhaps
there
should
be
text
in
the
document
suggesting
that's
a
bad
idea,
and
so
on.
That
was
posted
to
the
list
a
few
days
ago
and
I
haven't
seen
any
comments
or
updates
to.
B
What
that
is
bad
about
the
anonymous
cars.
C
Well,
the
the
point
is,
usually
you
have
an
anonymous
identifier
in
the
outer
layer.
You
know
at
example.com
and
then,
when
you
go
inside
of
that,
you
have
ttls
or
peep
with
your
real
username,
joe
example.com,
and
some
vendors
decided
just
to
use
the
anonymous
identifier
in
both
places.
So
your
inner
identity
that
you
send,
along
with
your
password,
is
at
example.com
meaning.
You
cannot
meaningfully
authenticate.
C
Anyone
so
yeah
it's
it's
one
of
these
rather
surprising
things
that
it
got
past
the
most
basic
qa.
So
there's
about
four
or
five
paragraphs
of
text
in
the
list
which
I'm
suggesting
we
add
to
the
document
before
the
next
rev
explaining
we
should
have
an
anonymous
outer
identifier,
so
it's
routed
properly.
C
The
inner
identifier
must
not
be
anonymous.
Otherwise
you
don't
know
who
to
authenticate,
and
the
inner
identifier
probably
should
not
have
a
realm,
because
you
already
have
one
the
outer
identifier
and
there's
no
point
in
having
it
in
both
places.
D
So
this
is
sean
I
was
gonna
ask
if
you
did
that,
and
you
answered
my
question
so
thank
you.
D
B
B
Mohit,
did
you
have
anything?
I
guess.
E
Just
the
same
question,
I
guess
I
don't
know
if
we
know
which
vendor
is
doing
this,
because
how
it's
like,
if
you
don't,
have
a
username,
how
do
you
look
up
the
database
to
actually
do
the?
What.
C
Exactly
exactly
there
is
this,
is
I
mean
if
you
go
look
you
can
find
it.
It
was
certain
builds
of
android
and
there
were
lots
of
people
that
I
ran
into
complaining
and
going.
C
Oh
god,
this
is
a
horrible
horrible
issue
and
the
solution
for
their
customers
was
to
use
the
full
name,
including
username
and
realm
as
the
anonymous
outer
identity,
because
that's
the
only
thing
you
could
have
you
could
configure,
which
would
then
be
copied
to
the
inner
identity,
and
so
it
works,
for
you
know
mod
various
versions
of
works
that
people
can
get
online.
But
now
you
don't
have
an
anonymous
header
identity,
which
is
arguably.
D
F
Yeah,
you
mentioned
to
strip
the
inner
username
sorry.
This
is
jan
fred
speaking
to
men
strip
the
inner
username
of
the
realm,
but
I
can
actually
think
of
some
rare
cases
where
the
routing
may
have
a
different
realm
than
the
inner
username.
For
example,
if
different
user
bases
are
configured
in
one
server
and
also
I
have
encountered
some
operating
systems
windows,
especially
which
actually
uses
the
realm
of
the
inner
username
to
determine
the
outer
username.
C
Yeah
I'd
I
mean
we
can
take
this
to
the
list
for
the
technical
discussions.
C
For
me,
I
I
have
a
hard
time
seeing
where
those
should
be
different.
I
mean,
if
we're
going
to
call
the
outer
identity,
the
routing
one
then
yes,
routing,
should
be
independent
from
your
actual
identity.
C
I
I'd
want
to
know
exactly
what
the
use
cases
for
it
that,
for
that
would
be
and
probably
put
something
in
the
document
saying
hey.
You
know.
This
is
why
you
do
it,
but
in
general,
from
my
experience
most
of
the
time,
those
two
realms
should
be
identical.
C
If
you
put
one
in
the
indirect
inner
identity
or
else
the
inner
identity
should
not
have
a
realm
and
stuff
like
windows,
arguably,
should
configure
outer
and
inner
identities
as
separate
items,
because
they
really
are.
B
Okay,
so
it
sounds
like
this
is
a
discussion
we
should
take
on
on
the
list.
There's
a
couple.
I
think
a
few
little
things
to
resolve
here.
How
many
folks
on
the
call,
have
read
the
some
recent
version
of
this
draft
or,
if
you
could,
plus
one
in
the.
A
B
And
we
need
a
couple
more
folks
to
to
review
this
draft
so
that
we
can
get
it
to
a
place
and
then
we
can
last
call
it.
So
I
think
certainly
have
the
discussion
that
we
need
to
have.
I
think
it's
getting
reasonably
close,
but
I'd
feel
a
lot
better
if
we
had
more
folks
on
the
call,
if
you
haven't,
is
there
anybody
who
would
want
to
commit
to
reading
this
and
reviewing
this
draft
in
the
next
month
or.
B
B
All
right
I'll
try
to
track
down
a
couple
more
folks
and
give
me
some
reviews
anything
else.
You
want
to
talk
about
on
this
subject.
Alan.
A
Okay
and
then
we'll
move
to
the
next
presentation,
so
we're
just
taking
a.
A
C
So
yes,
this
is
a
bit
of
a
monster
draft,
it's
just
under
60
pages
and
may
get
bigger.
So
we
go
to
the
next
slide.
The.
C
C
Politely
and
anonymously
gotten
from
a
number
of
people
about
what
people
do
with
their
uis
apis
workflows
and
the
answer,
as
we've
seen
with
this
with
with
this
anonymous
identifier,
is
people
make
random
changes
to
everything?
C
C
It's
all
kinds
of
mdm
vendors
selling,
expensive
products
for
simplification,
simplification,
ease
of
use,
these
have
their
own
issues
and,
as
the
apis
are
changing
and
breaking
these
mdm
products
becoming
less
useful.
Next
slide.
C
So
the
requirements
device
has
a
network
connection.
Untrusted
is
fine.
Slow
is
fine
root
cas
for
web
pki,
a
username
and
a
password
and
per
dan's
comments
on
the
list.
That's
a
good
point.
It
doesn't
actually
require
the
username
and
password
all
it
really
needs
is
the
realm,
but
the
initial
purpose
of
this
draft
is
end
user
devices,
so
we'll
just
call
it
a
username
and
password.
C
So
if
we
go
to
the
next
slide,
what
the
device
does
is
it
gets.
The
nai
from
the
username
looks
up
a
cert
resource
record
gets
a
uri
which
is
https,
so
you
don't
need
dns
sec.
It
doesn't
matter
if
someone
forges
those
dns
records
because
you're
looking
up
a
uri
in
the
nai
domain
that
you
were
given.
C
You
verify
that
the
websertforexample.com
is
valid
from
your
web
root
cas
you
download,
whatever
you
find
there
and
then
there's
stuff
inside
those
certificates,
rfc
4304,
among
others,
which
can
can
contain
network
identification
information.
C
And
now
you
have
a
network
you
can
connect
to.
You
know
the
ca
that
sign
the
server
cert.
You
know
your
domain,
you
pick
each
tls
as
it
says
in
the
document
or
ttlsp,
some
tls
based
eat
method
and
you
can
authenticate
knowing
that
the
eep
server
you're
talking
to
has
a
chain
of
trust
going
back
to
the
http
server
and
the
web
pki.
C
There's
a
lot
of
details
in
the
draft
about
variations
of
all
this
there's
a
lot
of
questions
about
what
happens
in
this
situation
or
this
situation.
That's
all
covered,
there's
lots
of
lots
of
details
in
the
draft
about
what
doesn't
work
and
why
these
things
don't
work
initially.
The
first
pass
really
only
needs
dns
and
web
configured
on
the
server
side
and
a
client
space
user
utility
on
the
client
side
and
no
real
changes
to
the
supplicant
code.
C
C
And
so
the
goal
is,
for
example,
one
use
case
is,
you
know,
10
000
university
students
want
to
get
into
eduroam,
they
have
a
username
and
a
password
and
they
just
connect
to
eduroam
with
unauthenticated
eeptls.
Do
some
lookups
for
the
university
get
the
certificate
information
and
then
reconnect
with
full
authentication.
C
So
you
can
work
in
captive
portals
to
get
your
configuration
or,
if
you
have
lte,
you
can
bootstrap
wi-fi
minimal,
deep
server
side
changes
required,
no
code
changes
on
dns
or
web
servers.
Your
configuration
can
be
refreshed.
The
document
talks
about
how
configuration
refresh
works
can
follow
a
process,
so
the
user
ui
can
follow
a
process
similar
to
web
uis,
but
for
network
access,
hey
we're
connecting
to
this
network.
C
C
C
C
C
G
G
Yeah
dan
harkins
thanks
alan,
so
in
in
your
example,
you
had
alice
doing
a
dns
look
up
for
bob's
certificate,
but
doesn't
dns
require
ip
connectivity
and
this
is
still
an
eep.
So
how
are
you
so.
C
Yes,
this,
this
is
all
very
true.
It
does
require
some
network
connectivity,
so
there
are
two
ways
to
do
this.
One
is,
for
example,
you
have
a
phone
and
you're
trying
to
connect
to
eduroam.
You
still
have
lte
or
4g
5g
backhaul.
C
C
We
need
a
positive
signal
that
you're
trying
to
do
eeptls
by
using
an
outer
username
of
something
like
provisioning
at
eep.arpa,
and
now
the
eep
server
knows
hey,
I'm
going
to
put
you
in
a
captive
portal.
You
have
network
connectivity,
you
can
do
four
dns
lookups
a
couple
of
web
downloads.
You
get
your
configuration,
you
drop
the
wi-fi
connection,
you
bring
it
back
up
again
with
your
new
eep
configuration
and
it
all
should
just
work.
D
Hi
alan:
this
is
sean
turner.
Just
a
quick
question.
All
right
are
we
requiring
it
to
be
sorry
pinned
to
the
web
pki
or
is
this
kind
of
like
a
simple
enough?
You
just
load.
You
need
some
trust
anchor,
so
you're
gonna
load,
the
ones
that
are
most
available.
Yeah.
C
This
is
just
a
trust
anchor
the
current
code.
That's
there
in
the
github
repo
in
fact
doesn't
verify
the
web
server
certificate.
Whatever
right,
you
can
always
pass
the
correct
options.
The
the
key
thing
I'm
trying
to
do
here
is
leverage
some
pre-existing
network
connectivity
and
pre-existing
trust
to
walk
a
chain
of
information
to
get
your
eep
configuration.
D
Fair
enough,
so
I
mean
like
because
there's
multiple
places
where
you
can
get
trust
anchors
from
so
it
kind
of
long
as
long
as
whatever
your
client
is
doing,
gets
back
to
its
trust.
Anchor
store.
That's
enough!
It's
not
like
you
must
use.
You
know
this
particular
web
pi
store.
So
I
think
that's
that
makes
sense.
B
C
Right,
like
like
est,
there's
a
dot
well
known,
slash,
ca,
right
or
dot
when
slash
est,
slash
c
well,
we
could
have
a
dot
well
known,
slash,
eat
ca,
and
if
you
trust
that
web
server,
you
trust
it
to
give
you
your
eepca
and
then
the
issue
as
to
whether
or
not
that
epca
is
already
known
or
as
a
private
ca.
C
C
C
That
city
can
now
issue
certificates
for
google
too,
and
so
there's
a
big
discussion
in
the
document
of
hey
either
you
have
to
have
a
different
ca
store
for
eep
or
you
have
to
effectively
be
able
to
mark
up
those
cas
as
saying
hey
trust
this
one
for
web
and
trust
this
one
for
e,
but
don't
cross
confuse
the
issues.
C
For
example,
some
of
the
tests
that
people
have
done
is
you
know,
war
driving,
you
go
around
a
university
campus
and
you
create
a
fake
ssid
on
your
laptop.
You
create
your
own
fake
ca.
C
You
sign
certificates
for
your
university,
which
contain
all
the
university
addresses,
but
they're
from
this
unknown
ca
and
you
broadcast
an
eduroam
ssid
and
there
are
a
good
chunk
of
devices
which
simply
never
notice
or
the
information
they
provide
to
the
user
is
completely
useless,
and
so
the
devices
will
go.
Oh
that's
a
ca.
I've
never
seen
before.
C
E
Could
you
joe
go
back
a
couple
of
slides
to
slide
seven?
I
I
think
I
had
a
question,
but
I
don't
know
if
I
remember
it.
E
E
C
C
You
have
no
idea
whether
or
not
the
server
certificate
is
okay,
whether
it's
from
a
known
ca.
It's
completely
opaque.
I
have
a
bunch
of
screen
shots
from
different
devices.
Different
vendors,
where
they
do
things
like
put
up
the
fingerprint
of
the
server
certificate
and
say:
is
this?
Okay
and
the
user
has
absolutely
no
way
of
telling
whether
or
not
that's
okay,
whereas
instead,
if
there
was
some
way
to
get
trusted
configuration
and
trusted
eep
ca,
then
when
the
user
tries
to
connect
you
can
the
supplicant
can
connect
to
the
server
and
go
hey?
C
C
And
therefore,
you
know
show
that
to
the
user
hey,
this
is
a
trusted
ssid
and
that
kind
of
thing
can
be
used
for
different
ssids
right.
So
the
draft
talks
about
how
to
configure
ssids,
but
let's
say
the
user-
wants
a
config
wants
to
connect
to
an
ssid
that
he
doesn't
know
about
right.
He
should
be
able
to
just
click
an
ssid
and
get
told
yes.
The
server
see
is
the
server
certificate
is
trusted
or
not,
and
if
it's
trusted,
then
you
can
send
over
your
credentials
and
if
it's
not
trusted,
you
can't.
C
Anyway,
the
draft,
as
long
as
I
said,
almost
60
pages,
it
goes
into
a
lot
of
detail
about
a
lot
of
different
issues.
What
I'm
trying
to
do
here
is
to
sort
of
give
the
10
000
foot
picture
of.
C
The
examples
here
are
web
pki.
Then
we
can
get
a
chain
of
trust
which
ends
up
allowing
the
supplicant
to
configure
e
and
the
end
user.
For
the
user
portion
of
this
from
the
end
user
side,
all
they've
done
is
enter,
my
name
is
allen.
Example.Com
and
my
password
is
super
secret
magic
happens
behind
the
scenes,
and
then
they
get
a
secure,
wi-fi
connection
that
they
can
trust.
C
That's
a
little
better
than
what
happens
today,
which
is,
I
think
at
best.
We
can
describe
it
as
painful.
You
know.
I
mean
anyone,
who's
gotten
a
new
device
and
tried
to
get
wi-fi
configured
to
secure
corporate
network.
Your
choices
really
are
banging
your
head
against
the
wall
or
downloading
some
mdm
software,
and
then
what
happens
right
and
then
this
is
a
question
two,
which
is,
if
you
download
some
mdn
software
with
the
ca
that
comes
from
your
corporation
onto
your
personal
device
effectively,
they
can
pretend
to
be
google.
E
Okay,
yeah
thanks.
I
think
that
answers
my
question.
Maybe,
while
you
are
stayed
at
this
slide
and
if
the
there's
time
for
one
more
question,
how
like
I'm
not
sure
how
this
or
how
does
eep
work
with
captive
portals
in
general
and
then
like
how
like,
could
you
expand
a
little
bit
more?
What
does
it
mean
that
it
works
with
captive
forces.
C
The
issue
right
now
is
captive
portals
by
and
large,
don't
do.
Eep
and
you're
you're
left
with
some
human
reading,
some
webpage
trying
to
figure
out
what
to
do
and
whether
or
not
they
have
to
enter
their
credit
card
information,
for
example,
in
an
airport
the
nice
thing
about
using
unauthenticated
etls,
especially
if
we
can
use
a
realm
like
eat.arpa.
C
C
So
the
point
and
then
the
hope
here
is
to
take
the
person
out
of
this
process.
You
know,
having
pop-ups
to
say:
is
this
server
certificate
valid?
This
is
what
I
do
for
a
living.
I
have
no
idea
what
to
do
with
those
pop-ups
and
if,
instead,
my
process
is
here's,
my
name
and
password
and
I
get
on,
I
have
a
lot
more
confidence
in
that
so
yeah.
Removing
the
human
from
the
captive
portal
approach,
I
think,
is
beneficial
for
everyone.
B
Thanks
cool,
so
I
think
it
would
be
great
to
have
more
discussion
of
this
on
the
list.
There's
definitely
things
we
want
to
look
into
here
I
mean
making
this
experience.
Better
is
a
good
thing.
So,
thanks
alan.
B
G
Presentation,
okay,
great,
can
you
do
full
screen
there
we
go.
So
thank
you.
My
name
is
dan
harkins
owen
and
I
have
been
working
on
this
for
some
time
now.
We
got
some
comments
from
the
tls
group
and
like
to
bring
it
back
into
emu.
So
next
slide.
G
Please
so
a
little
bit
of
background,
the
the
wi-fi
alliance
has
defined
this
thing:
the
device
provisioning
protocol
that
will
take
a
public
key
and
use
it
to
bootstrap
a
client
into
a
wi-fi
network,
and
what
happens
then
is
the
the
client
gets
a
guarantee
that
he's
connecting
to
the
the
right
network
being
defined
as
the
one
that
knows
his
his
bootstrapping
public
key
and
the
network
has
a
guarantee
that
it's
it's
provisioning,
the
right
client,
because
it's
the
one
that
knows
the
corresponding
private
key.
G
This
trust
model,
of
course,
assumes
that
the
the
key
databases
has
is
has
some
strong
integrity.
The
whole
security
of
dpp
depends
upon
that.
This
bootstrapping
public
key
is
basically
a
base64
encoded,
asn.1
sequence
of
a
central
public
key
info,
and
it
looks
it's
transferred
any
uri
that
looks
like
this
tpp
colon
and
a
bunch
of
goo.
G
The
format
of
that
is
in
the
the
dpp
spec.
But
everything
following
the
k,
colon
there
is
the
base64
encoded
key.
The
important
thing
here
is
the
key
is
a
raw
key.
That's
not
required
to
be
in
a
pki.
G
It
could
be
static
and
bound
to
that
device
or
it
could
be
dynamic,
and
if
the
device
is
a
gui,
it
could
display
its
key
in
the
form
of
let's
say
a
qr
code
on
the
gui
or
you
know
the
device.
The
infrastructure
could
download
this
uri
from
from
the
cloud.
G
If
you
want
to
do
a
kind
of
you
know,
true
zero
touch
experience,
but
once
the
the
infrastructure
has
gotten
this
this
key
and
authenticated
the
device
the
device
can
be
given
a
credential
that
will
allow
it
to
get
on
any
possible
network.
It
can
get
a
psk
or
a
password.
It
can
get
a
certificate
if
it
needs
it
and
it
can
get
a
thing
called
a
connector
which
is
sort
of
like
a
goldilocks
credential.
G
It's
it's
not
quite
as
weak
as
a
psk,
but
it's
not
quite
as
as
intense
as
a
certificate.
It's
sort
of
like
right
in
the
middle.
So
next
slide.
Please.
G
So
here's
an
overview
of
dpp,
so
the
infrastructure
is
getting
this
uri
either
scanning
a
qr
code
or
doing
nfc
or
getting
it
from
the
cloud
or
something
and
coincident
with
that
or
maybe
before
that
this
device
is
is
doing
what's
known
as
a
chirp
and
it's
it's
chirping
out
announcing
its
presence
and
the
infrastructure
will
then
use
that
to
discover
this
this
device
and
use
the
bootstrapping
key
that
it
has
downloaded
to
authenticate
the
device.
G
G
So
if
you're
paying
attention
you're
going
to
say
well,
that's
great
dan,
but
what
does
this
have
to
do
with
emu?
And
that
is
a
fantastic
question.
So
dpp
solves
the
the
catch-22
problem
of
where
you
need
a
credential
to
get
a
credential,
but
dpp
is
4.11
only
and
it
doesn't
work
for
any
sort
of
other
medium.
G
So
what
we
wanna
do
is
we
wanna
use
the
same
sort
of
dpp
bootstrapping
techniques,
either
getting
the
public
key
from
the
cloud
or
from
a
qr
code,
that's
in
a
bomb
or
on
the
device's
back
side
or
using
nfc
or
whatever
the
the
various
schemes
that
dpp
has
provided.
We
want
to
use
that
to
establish
trust
across
both
wi-fi
networks
and
wire
deployments,
so
we
want
to
use
that
public
key
to
solve
the
the
same
catch
22
that
we
have
for
wired
enterprise
devices.
G
So
what
happens
is
we
can
use
so
dot?
One
x
is
gonna.
Do
identity
request
at
linkup,
so
there's
no
sorts
of
discovery.
Issues
involved,
there's
no
chirping
necessary,
and
so,
as
I
mentioned,
dpps.11
only
uses
these
pre-association
action
frames,
but
the
equivalent
for
that
in
wired
is
is
eep,
so
we
can
use
eep
to
do
this
sort
of
authentication.
G
G
G
We
can
then
use
that
psk
with
rfc
8773,
which
defines
how
to
use
an
external
psk
with
with
tls
authentication,
and
we
use
that
derived
psk,
so
that
will
provide
proof
to
the
client
that
the
server
really
knows
his
public
key
helps
proves
to
the
client
that
the
server
proves
that
cert
by
the
server
that
the
client
has
the
public
key,
but
also
we
can
use
rfc
7250,
which
is
tls
with
a
raw
public
key
where
the
client
can
use
his
bootstrapping
key
to
sign
his
particular
share,
and
that
will
provide
an
additional
proof
to
the
server
that
the
client
has
the
corresponding
private
key.
G
We
signal
all
of
this
with
a
new
name
coming
out
of
the
extensible
psks
registry-
that's
being
defined
by
this
draft
here,
so
we're
not
actually
requiring
any
changes
to
anything.
There's
nothing
that
changes
in
teep
there's
nothing
that
changes
in
87
73,
nothing
changes
in
7250
and
all
we
do
is
ask
for
a
name
from
a
registry
of
names,
that's
being
defined
for
that
purpose.
G
So
here's
how
it
looks
in
tls,
the
plain
normal
font
is
the
existing
tls
exchange.
The
boldface
stuff
is
what's
being
is
what's
present
for
bootstrapping
with
with
dpp
and
the
red
stuff
is
the
new
stuff
we
added
so
we're
just
adding.
You
know
this.
This
bs
key
identifier
from
the
extended
psk's
draft
and
then
we're
adding
the
using
the
cert
with
external
psk
from
and
we're
indicating
that
the
client
will
be
using
a
raw
public
key
from
7250
and
other
than
that,
it's
straight
old
tls
next
slide.
G
G
And
so
how
this
all
hooks
into
eep
then
to
draw
back
to
that
question,
you
all
had
well
we're
going
to
use
this
to
authenticate
again
with
teep.
So
what
happens
is
at
link
up?
The
authenticator
is
going
to
say
who
are
you
and
the
client
being
having?
No
knowledge
of
anything
whatsoever
doesn't
know
what
his
realm
is
he's
just
going
to
say,
tls
poke.
Now
there
was
a
discussion
on
the
list
about
whether
this
should
be
tls,
poke,
tlspoke.arpa
or
something
like
that.
G
Whatever
we
can,
we
can
decide
that
later,
but
the
idea
is
that
the
client
responds
with
just
some
static
identity.
Saying
I'm
one
of
these
weird
bootstrapping
people
and
the
authenticator
then
will
will
initiate
teep
and
teep
will
be
authenticated
with
tls
dpp,
using
the
bootstrapping
key
that
the
authenticator
has
obtained,
using
whatever
dpv
bootstrapping
method.
G
Once
that's
been
authenticated,
then
we
just
do
the
regular
old,
teep
s-like
exchange,
where
there's
a
csr
attributes
tlv
followed
by
pkcs10
tlv,
a
pkc7
tov,
and
then
the
supplicant
now
has
been
enrolled
in
the
ca
and
all
of
his
subsequent
network
connections
will
use
this
in
the
certificate
that
he's
been
provisioned
with
next
slide.
Please.
G
So
where
we
are
is
we're
on
o3
of
the
spec.
I
hope
everyone
has
had
a
chance
to
read
it.
We
do
have
some
running
code
for
the
tls
portion
of
it.
Owen
has
implemented
this
in
mint
and
at
this
point
in
time
we
owen
presented
this
to
tls
yesterday
and
they
had
no
real
comments
about
or
concerns
with,
our
tls
approach.
G
B
Okay,
are
there
any
folks
who
want
to
speak
up
now
about
their
opinions
about
adopting
or
not
adopting
this
draft
interest
in
this
draft
either
positive
or
negative?.
B
B
We
have
a
few
folks,
I
think
we're
going
to
need
to
get
a
few
more
interested
parties
in
order
to
make
sure
that
we
have
enough
folks
to
do
the
review.
So,
let's
kind
of
work
offline
to
see,
if
that
something
we
can
do
so
that
yeah
do
we?
Can
we
get
some
volunteers
who
are
interested
in
reviewing
this
draft
as
well.
B
Okay,
so
I
think
that's
something
we
need
to
work
on.
Okay
and
then
I
think
we
can
have
a
little
more
discussion
on
the
list.
Then
we
can
see
if
it's
appropriate
to
it's
late
thursday.
B
And
yeah
for
some
locations-
it's
maybe
friday,
already
all
right.
B
H
H
H
Six,
hello,
I'm
a
mailing,
transform
channel
mobile
in
this
draft.
We
propose
a
method
of
using
identity
as
raw
public
key
in
eaptls.
H
We
already
gave
our
presentation
at
the
ietf
109.
Also
some
commerce
were
received.
We
can
review
it
together.
Our
first
question
is
what
scenario
it
is
for.
The
scenario
are:
is
for
internet
of
things,
devices
especially
for
passive
wrong
life
device
and
other
scenarios
is
also
suitable
is.
Is
it
related
to
ibe?
H
We
just
use
ibs
signature
to
slow
the
identities
authentication
program,
not
use
the
identity
based
encryption
here,
any
any
running
code.
We
are
making
implementation
in
our
local
network,
recording
efts
ibs,
based
on
their
own
efts
1.2
and
using
ecce
and
another
question
is
any
cross
scope
of
iot
obs.
I
have
checked
charter
of
the
work
group.
I
think
they
have
no
class
scope.
H
And
pres
and
the
present,
the
version
is,
have
been
updated
to
version
02.
Detailed
modifications
can
be
seen
in
the
draft
by
the
two
tiers,
so
the
slides
just
give
a
summary.
We
have
two
updates
and
two
new
a's.
The
first
update
is
in
object,
which
a
a
reference
of
draft
itfts
details.
13.
The
second
update
is
in
the
introduction.
We
ate
a
text
description
in
the
draft
draft
itef
e-m-u-e-a-p-t-s.
H
Certain
race
certificates
can
be
of
any
type
separated
by
tls
in
including
raw
public
kings
and
in
fc,
13,
32
and
15
it.
Assuming
that
an
out-of-band
mechanism
is
used
to
bind
them
public
into
the
entity,
pre
is
ending
their
kin.
These
two
tips
is
suitable
for
our
jet.
H
And
the
two
new
ace
is
the
first
one
is
in
ia
consideration
part.
So
this
document
registers
the
following
items
in
the
merchant
types
registry
under
is
tangible
authentication,
protocol
registry
heading
and
the
second.
The
new
is
in
use
cases
of
the
eats
ibs.
In
section
three,
the
one
is
used
for
authentication
of
iot
and
the
other
is
used
for
system
that
do
not
support
ca
certificates.
H
Maybe
it
can
just
aid
as
an
optional
choice.
If
there
are
any
other
use
case
requirements
we
received
from
the
comments,
we
will
also
increase
this
part
of
the
use
case
next
slide.
The
price.
H
We
update
the
process
in
in
figure
7
figure,
8
and
figure
9..
We
ate
a
round
trip
interaction
based
on
the
draft
item:
emu
e
apts
certainty
version
18
after
tls
finished
the
message
sent
from
eap
server,
no
more
commitment
message
sent
and
after
tia
has
finished.
The
message
sent
from
us
indicating
peer
will
return
an
ap,
requester
message:
waste
tls
application
date,
zero
exerto,
then
authenticating
peer.
Give
a
response.
Finally,
is
is
aap
success
which
flagged
end
of
the
procedure.
H
He
would
do
the
asn.1
structures
for
person,
one
modules
when
it
becomes
an
ifc
and
will
reveal
the
part
asn.1
portion
of
the
specification
to
make
sure
they
are
clear.
So
we
will
continue
with
this
draft
for
update
what
we'll
do.
Next,
we
will
devise
the
king
derivation
based
on
eaps
ibs.
H
If
this
draft
become
a
what
group
draft
one
thing
need
to
do
is
that
eft
space,
the
type
needs
to
enter
new
type
for
apts
ibs
in
the
work
group
item,
draft
ietf,
emuts,
eap
types
and
the
next
step.
We
want
to
try
to
call
for
adoption
thanks
and
commerce.
B
Do
you
have
anybody
who
wants
to
comment
on
this
particular
draft
and
whether
it's
something
the
working
group
should
take
on
or
not,
and
also
how
many
folks
have
read?
Has
anybody
read
this
draft
and
plus.
D
I'll
be
real,
quick,
I'm
not
a
lover
of
the
identity-based
encryption
or
than
any
signature
stuff
at
all,
but
also
I'm
okay,
with
people
exploring
and
doing
whatever
they
want.
So
I'm,
okay
with
progressing,
whether
it's
in
the
working
group,
where
you'd
be
sponsored
or
whatever
I
have
no
problem
with
that.
I
don't
really
have
an
opinion
whether
it
should
be,
it
must
be
in
whether
it
must
be
in
the
working
group
or
not.
So
that's
all.
I
really
want
to
say
thanks.
H
B
Okay,
right
now,
it
doesn't
show
that
we
have
anybody
who's
kind
of
read
the
draft
on
the.
A
More
people
interested
in
this
use
case.
H
Yes,
I
I
I
didn't
know
how
many
people
have
read
their
job,
so
maybe
after
the
discussion,
we
can
send
the
mail
list
and
ask
for
artists
for
comments
and
have
a
red
harris.
A
quick,
quick
look
at
my
draft
and
I
do
not
sure
it
is
enough
to
ask
for
adoption.
B
Yeah,
I
don't
yeah,
so
I
think
we
need
to.
I
don't
think
we
have
enough
right
now,
at
least
not
based
on
this.
This
particular
call.
H
B
B
B
All
right
well
see
if
there
are
no
other
topics,
thanks
everybody
for
participating
and
we'll
see
on
the
list.