On Jun 28, 2021, at 8:50 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > To date, Enterprises with laptops and PCs have provisioned the IDevID into > the TPM, themselves, at the same time the device is wiped and the golden > image is installed. So, the TPM identity is actually known to them by > construction.
And... if I have my own phone? Or if a university wishes to tie devices to student accounts? So that they can limit (somewhat) abuses? For now, the answer is "too bad". Or maybe "buy a $$$$ MDM solution". As someone who bought my own phone, I'm not going install some MDM solution which lets my employer wipe my personal device. I would much prefer to be able to prove (a) it's my device, and (b) it has a unique device identifier. The simpler the method, the better. > Smartphones do not get provisioned that way, but at the factory. > Ditto IoT devices, and routers that have IDevID. > RFC8995(BRSKI) can help, and Eliot has a proposal about how to run that over > TEAP. > There are other ways too, and most wind up with an LDevID deployed. That's good, but I suspect it will take a while to get implemented and/or popular. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
