> On Nov 18, 2019, at 10:47 AM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote: > > Alan – Adding yet another OID and/or EKU to a certificate does not change the > fact that no authority can attest to that information. A public CA cannot > validate a ownership of an NAIRealm.
That's not true. Public CAs validate ownership of domain names. The NAIRealm is a domain name. And, the NAIRealm is the *same* as the domain name in the certificate. Which the CA validated. Unless you have a counter-argument, that discussion should be closed. > So while a supplicant could be configured to validate that the server’s > NAIRealm matches the local configuration, that doesn’t change the requirement > to manually configure the supplicant. I explained how it could simplify the supplicants configuration. > So what are we actually trying to improve here? See my previous messages for explanations. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
