> So I see this as two new methods: > > 1) tunnelled FIDO - for use in TTLS, PEAP, or other TLS-based EAP methods. > > 2) TLS-based method with tunnelled FIDO - it can make new / stronger > requirements on CA validation, server identity, etc.
So (2) would be the moral equivalent of (1) inside an existing tunnelled method where WebPKI is mandated for server cert validation? I have worked with organisations who run AD Certificate Services for the sole purpose of issuing a single server certificate for their NPS cluster, so I am very much in favour of making server certificate validation simpler. However, I think we need to be very circumspect about out-sourcing that to the WebPKI. Is there another IETF protocol that does this? Josh _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu