This is also related to ongoing anima discussions about RFC 8366, and how it can bootstrap trust when the pinned domain cert is a public PKI CA, and not a private CA, and hence additional domain (or realm or FQDN) info is also needed in order for the peer to verify the identity of the server.
Its also relevant for ongoing Wi-Fi Alliance DPP discussions about bootstrapping a supplicant onto an 802.1X network - after a supplicant completes DPP and gets provisioned with a trust anchor - what if that trust anchor is a public PKI? It’s the same problem. One deployment consideration is if an operator wants to use a public PKI (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever, before these extensions could be supported (as Alan alludes to), so it would also be good to define how this could work with standard RFC 6125 DNS-IDs / RFC 5280 dNSNames. > -----Original Message----- > From: Emu <emu-boun...@ietf.org> On Behalf Of Jan-Frederik Rieckers > Sent: 11 November 2019 09:42 > To: Alan DeKok <al...@deployingradius.com>; Russ Housley > <hous...@vigilsec.com> > Cc: emu@ietf.org > Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS > > Hi, > Thank you for your feedback. > > I was unaware of RFC 7585. I had a brief look on it and it seems that the > certificate part could be used for the goal I try to achieve. > > I'm not quite sure if the naiRealm should be used for validation on > supplicants > for EAP-TLS. I would assume it would not be a security issue, but I don't have > enough experience to be sure about that. > > The main reason why I submitted this draft is my experience from the > deployment of eduroam at University Bremen. > With expiry of the used root CA and the needed migration, we have forced all > our users to use one specific outer Identity, to be sure the users configure > their > devices with the eduroam Configuration Assistant Tool (CAT, cat.eduroam.org) > instead of a manual configuration, because in our experience manual configured > devices almost always lacked configuration for certificate checking. > But I just have experience in local deployment, the federation connections are > done at higher levels (country research networks), I don't have an insight > there. > > Greetings, > Jan-Frederik Rieckers _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
