Assuming that NAIRealm is a registered domain as per RFC 7542, and thus public
CAs can verify ownership, the goal / where we want to get to is:
- CA may be a public CA and thus public CAs can be enabled by default in
supplicant config
- supplicant checks NAI Realm in the EAP identity cert
On Nov 18, 2019, at 7:39 PM, Dan Harkins wrote:
>> What happens if the CA checks some things, and not others?
>
> Then it means the CA is certifying things it shouldn't.
Well, that's what happens with most CA's.
>> Define "validation" :)
>
> I'll pass on playing that game.
We
