On Mon, Apr 12, 2021 at 6:02 AM Eliot Lear <l...@cisco.com> wrote: > Hi Alan, > > On 12 Apr 2021, at 14:52, Alan DeKok <al...@deployingradius.com> wrote: > > > EAP TLS peer implementations MUST allow for configuration of a unique > trust root to validate the server's certificate. > > > This statement seems independent of the previous one, and may be overly > broad. Let me give you an example: a device may be designed only to > operate as part of a federation. > > > I would agure there that the federation should have it's own CA. > > > That’s what I’m thinking. But I could imagine hardcoded devices that make > use of it. That’s all. > > [Joe] Relying on a burned in certificate this way seems like a really bad idea. What happens when that certificate expires?
> Eliot >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu