So you’re saying an NAIRealm must be a publicly registered domain name? I agree, but just want to be crystal clear.
tim From: Alan DeKok <al...@deployingradius.com> Date: Monday, November 18, 2019 at 10:57 AM To: Cappalli, Tim (Aruba) <t...@hpe.com> Cc: EMU WG <emu@ietf.org> Subject: Re: [Emu] Best practices for supplicants and authenticators > On Nov 18, 2019, at 10:47 AM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote: > > Alan – Adding yet another OID and/or EKU to a certificate does not change the > fact that no authority can attest to that information. A public CA cannot > validate a ownership of an NAIRealm. That's not true. Public CAs validate ownership of domain names. The NAIRealm is a domain name. And, the NAIRealm is the *same* as the domain name in the certificate.. Which the CA validated. Unless you have a counter-argument, that discussion should be closed. > So while a supplicant could be configured to validate that the server’s > NAIRealm matches the local configuration, that doesn’t change the requirement > to manually configure the supplicant. I explained how it could simplify the supplicants configuration. > So what are we actually trying to improve here? See my previous messages for explanations. Alan DeKok.
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
