On Sun, Jan 19, 2020 at 8:26 AM Russ Housley <hous...@vigilsec.com> wrote: > > It seems to me that RFC 4334 offers a way for an enterprise to assert that > the certificate is intended to be used with a particular SSID. This seems > better than a self-signed certificate with just a domain name. > > I understand that CA/B Forum does not allow these extensions and attributes, > but as already highlighted in this discussion, these certificates are not > part of the Web PKI.
I don't think it is that straight forward. The operating system vendors that ship supplicants heavily overlap with the ones who set the CA/Browser Forum requirements. They are also the ones who require CAs in their OS trust stores follow the CA/BF requirements. The CA/BF has made it clear over the last year or two they are willing to include other (non-WWW) types of certificates as permitted in their requirements, but look to IETF and other organizations to set the technical standards. For RFC 4334, we have a technical standard (good!). However 4334 calls out that "SSIDs may not be unique". This makes it very tricky to use a shared root setup, as it does not provide any guidance on who gets to have a certificate for the SSID "Guest". This is analogous to the issue of unqualified hostnames mentioned earlier in this discussion (who gets a TLS certificate for "mail"?) How are CAs trusted by supplicants expected to decide who gets a certificate for a given SSID? Thanks, Peter _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
