-----Original Message-----
From: Emu <emu-boun...@ietf.org> On Behalf Of Michael Richardson
Sent: 12 November 2019 09:20
To: emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
On 2019-11-12 7:15 a.m., Owen Friel (ofriel) wrote:
> This is also related to ongoing anima discussions about RFC 8366, and how it
> can bootstrap trust when the pinned domain cert is a public PKI CA, and not a
> private CA, and hence additional domain (or realm or FQDN) info is also
> needed in order for the peer to verify the identity of the server.
While I'm familiar with this conversation, which I'm right now inspired to call
the the "Maria" problem ("How do solve a problem like Maria. How do you a
cloud certificate and pin it down?")
I don't really understand what it has to do with the problem of an EAP client,
**which is not doing initial onboarding**, to validate a certificate that it
has received as part of EAP-TLS*.
[ofriel] whether its first time bootstrap or subsequent EAP authentication, the
EAP server is going to present the same identity cert to the client, and that
could be signed by a public CA, and in both scenarios (bootstrap and
reauthenticate) the client needs to know what identity to look for in the
server cert.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
