Hello,
In a private thread on teap-brski the topic of co-location of the
TEAP server
and the BRSKI registrar was brought up. It was suggested that the
discussion
move to these lists to get more input from the experts.
In draft-lear-eap-teap-brski-02 the architecture shows a the TEAP
server and
the BRSKI registrar as separate while mentioning that they can be
co-located.
The following assumes they are not co-located.
The BRSKI pledge in this draft is called a "device" and the device
establishes
a provisional TLS connection (through TEAP) to the TEAP server over
802.1X or
something similar. The device does not connect to the registrar. The
device then
creates a voucher request and sends it to the TEAP server using a newly
defined
TEAP TLV. The registrar signs the request, forwards it onto a MASA, and
sends the
voucher it gets back from the MASA to the device using another newly
defined TEAP
TLV.
So the question is, will this even work? If the TEAP server and BRSKI
registrar
are separate entities then the voucher will include the TEAP server's EE
certificate
but it will be signed by the registrar's EE certificate. From my
admittedly limited
understanding of BRSKI I think the MASA will reject this voucher request
because it
fails the "proximity" check (if I understand the proximity check
correctly). The
MASA will treat the registrar as a man-in-the-middle.
BRSKI folks: is this correct? Will a voucher request be rejected from
a deployment
like this?
EMU folks: if the answer from the BRSKI folks is that this doesn't
work then is there
any sort of weird tunneling or "phase 2" trickery that can be added to
TEAP to get
this to work or should we just explicitly state that the TEAP server and
the registrar
are the same entity (they authenticate with the same certificate)?
Thanks,
Dan.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
