On Jan 17, 2020, at 1:29 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > You omitted an important part of that output, which is the name of the CA, > which I include below.
Sure. > It could be that the CSP permits SMTP, or SUBMISSION service. > Ryan has suggested that CAs could put EAP-TLS (or EAP-TEAP) into their CSP, > and that also seems like an out. I agree. > Certainly, some of the excitement for ACME/Letsencrypt with DNS-01 challenge > is that it makes it easy to get a certificate for a non-HTTP thing. > > I think we need to fix the lawyers, not the protocol. That is likely the best approach. At this point, use of id-kp-serverAuth is wide-spread *outside* of HTTP. EAP / RADIUS is not unique in it's mis-use of that OID. As such, this discussion should more productively focussed on non-HTTP mis-uses of id-kp-serverAuth. Which means pretty much everything using TLS. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
