A couple things that stand out to me from having basically read the whole thread in one go (this is not intended to be an exhaustive list of open questions):
It was implied but not fully clear to me, that Ryan thinks that someone so inclined could, right now, go around trying to connect to wifi using EAP authentication, grab a packet capture of the remote server using its id-kp-serverAuth certificate for authenticating the TLS-over-EAP connection, and report that certificate to its issuing CA as "misuse" requiring prompt revocation, at least for several major CAs. It's quite probably that I missed them as they went by, but specific links to specific CA policy documents that would classify such certificate usage as "misuse" (requiring revocation) would help clarify things, at least for me. Is there anything better for implementations to actually do (as distinct from what we write down as recommendations) than to start setting up a parallel (purpose-specific) PKI now and trusting that in parallel with what they're currently doing, with the hope of being able to have a flag day many years down the line when the new PKI becomes the only thing that's trusted? -Ben On Wed, Jan 15, 2020 at 07:20:37PM -0800, Joseph Salowey wrote: > There has been a lot of discussion on this thread, but I do not see > anything actionable for the EAP-TLS 1.3 specification. > > Joe > > On Wed, Jan 8, 2020 at 12:48 PM Alan DeKok <al...@deployingradius.com> > wrote: > > > On Jan 8, 2020, at 3:00 PM, Michael Richardson <mcr+i...@sandelman.ca> > > wrote: > > > > > > > > > Alan DeKok <al...@deployingradius.com> wrote: > > > alan> Many people use private CAs. Many use public CAs. *All* of > > them > > > alan> use id-kp-serverAuth. Common EAP supplicants (MS / Apple / > > etc.) > > > alan> ship with known root CAs. These root CAs are trusted by default > > > alan> for web browsing. None are trusted by default for EAP. > > > > > > How can anyone be using public CAs for EAP, if none are trusted for EAP, > > and no > > > public CAs issue certificates with id-kp-serverAuth? > > > > Every CA is manually enabled. > > > > Either by an end user, or by / on behalf of, an administrator. > > > > The goal I'd like to reach is some method to allow supplicants to > > automatically trust and enable certificates for EAP. > > > > Alan DeKok. > > > > _______________________________________________ > > Emu mailing list > > Emu@ietf.org > > https://www.ietf.org/mailman/listinfo/emu > > > _______________________________________________ > Spasm mailing list > sp...@ietf.org > https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
