1. Introduction
TLS-POK addresses onboarding devices with no or limited user interface. When a device needs network access to obtain a credential, but also needs a credential to access an IEEE 802.1X / EAP network, bootstrapping becomes circular.
If the device has a public/private key pair and the public key can be trusted out of band, the device can authenticate to a TLS or EAP server. Device Provisioning Profile (DPP), also known as Wi-Fi Easy Connect, covers Wi-Fi onboarding but does not cover wired network access or define use of the DPP key pair in TLS. TLS-POK fills that gap.
TLS-POK SHOULD NOT be used for bootstrapping against wireless networks and SHOULD be used for bootstrapping against wired networks.
1.1. Terminology
BSK is a Bootstrap Key, an elliptic-curve public/private key pair suitable for ECDSA. EPSK means External Pre-Shared Key. TEAP is Tunnel Extensible Authentication Protocol. NAI is Network Access Identifier.
1.2. Bootstrapping Overview
The private part of the BSK is known only by the device. The public part is known by the device owner and provisioned on the TLS server. The server proves it knows the public key; the device proves it knows the private key. In an EAP deployment, the EAP server SHOULD provision a credential for later EAP authentication.
1.3. EAP Network Access
The bootstrapping exchange can give the device enough connectivity to use TEAP or another enrollment mechanism to obtain a credential for later EAP authentication.
1.4. Supported EAP Methods
This RFC assumes TEAP is the supported EAP method because TEAP supports certificate provisioning. Future EAP methods may also use TLS-POK, but that is out of scope.