On Nov 12, 2019, at 11:43 AM, Russ Housley <hous...@vigilsec.com> wrote: > > Can the extended key usage for EAP over a LAN ( id-kp-eapOverLAN ) solve this > for you? It is defined in RFC 4334. A certificate for Web PKI should not > include this extended key usage. > > RFC 4334 also offers a certificate extension that lists the SSIDs that are > associated with the server.
That does sound relevant. I wasn't even aware of that document. While RFC 4334 offers the id-kp-eapOverLAN OID, I'm not aware of anyone using it. Even Microsoft supplicants still require the TLS web server auth OID (1.3.6.1.5.5.7.3.1). So yes, RFC 4334 is absolutely relevant here. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu