On Dec 27, 2024, at 5:48 AM, Jouni Malinen <j@xxxxx> wrote: > Taken into account limited deployment of TEAP (and no deployment that > could have really been compliant with RFC7170), that would seem to imply > that wpa_supplicant changes should really go much further than this > particular change of not complaining about missing PAC in local > configuration.. Yes. * remove all references to PAC * Send Identity-Hint with all configured Phase 2 identities https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-19#section-4.2.20 * Mandate support for TLS 1.2 or later https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-19#phase1 * Double-check ciphers as per the previous link Those are the minimal changes which will make TEAP better. I'll see if myself or a member of my team cal look at these in the new year. We could also add: * Certificate provisioning https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-19#name-certificate-provisioning-wi However, I'm not aware of any other TEAP peer or server which currently supports this workflow. There are unresolved issues, such as if you use unauthenticated provisioning mode because you lack credentials, how can you prove who you are, in order to get a certificate provisioned? These, and other, questions have remained unanswered in the IETF EMU working group, and by the various proponents of TEAP. I don't claim to understand what TEAP is supposed to do. I was just the unfortunate person responsible for copy-editing 7170bis. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
