**Session Date/Time:** 23 Jul 2024 20:00 # emu ## Summary The EMU working group meeting at IETF 120 covered several topics related to authentication and privacy, including updates on existing drafts and discussions on new mechanisms. Presentations were given on EAP.ARPA for provisioning, EAP-EDHOC, EAP-FIDO (potentially renamed to EAP-Net-Authn), radius security issues, EAP-PPT for privacy-preserving authentication, and post-quantum cryptography for EAP-AKA'. ## Key Discussion Points * **EAP.ARPA:** Alan presented on the use of EAP.ARPA for provisioning, emphasizing its non-routable nature and the need for IAB permission. The discussion clarified that no DNS entries would be created for this domain and its use is local signaling within EAP. * **EAP-EDHOC:** Dan provided an update on EAP-EDHOC, focusing on byte-saving optimizations in the flag field and successful interoperability testing at the Paris Hackathon. Reviewers for the draft are needed. * **EAP-FIDO (EAP-Net-Authn):** Jan Fred presented an update on EAP-FIDO, highlighting the progress on proof-of-concept implementation. Issues such as crypto agility and platform authenticator limitations were discussed. The potential renaming to EAP-Net-Authn was introduced. Discussions with W3C are planned. * **Radius Security (Blast Radius):** Alan delivered a prompted briefing on security flaws in RADIUS, specifically the lack of integrity checks on certain packets. This allows for potential man-in-the-middle attacks. * **EAP-PPT:** Bod and Parish presented EAP-PPT, a privacy-preserving authentication method using Privacy Pass tokens. The discussion centered on the use of attestations and unlinkability to protect user privacy. Feedback from the Privacy Pass working group is deemed crucial. * **Post-Quantum Crypto (PQC) for EAP-AKA':** Eritra presented two drafts: one using a hybrid post-quantum/traditional approach and another using a pure post-quantum key exchange for EAP-AKA'. The discussion focused on the rationale for different approaches and potential commonalities. ## Decisions and Action Items * **EAP.ARPA:** Alan to make minor updates to the draft and issue a new revision. Last call to follow soon after. * **EAP-EDHOC:** Alan volunteered to review the draft. The other Dan suggested exploring UI changes for Android integration. * **EAP-PPT:** Coordinate with the Privacy Pass working group and understand what the privacy implications are of this method. ## Next Steps * **EAP.ARPA:** Prepare for last call. * **EAP-EDHOC:** Address reviewer feedback and continue implementation. * **EAP-FIDO (EAP-Net-Authn):** Continue discussions with W3C and address outstanding issues related to crypto agility and platform authenticators. * **EAP-PPT:** Present to Privacy Pass working group. Determine if a recharter is needed to adopt the method, and work with Paul to coordinate. * **PQC for EAP-AKA':** Address feedback on the two drafts.