On Jan 20, 2020, at 9:29 AM, Ryan Sleevi <ryan-i...@sleevi.com> wrote: > > I'm well aware the end goal is that on a 'stock' install of your OS of > choice, everything just works. I've outlined several times a plan to get to > that - and which does not involve shipping roots in the OS, but roots in the > supplicant that comes with the OS. The distinction is quite meaningful for > the reasons outlined throughout this thread, even if the end user experience > is "it just works”
I think the distinction you’re trying to make between the OS and supplicants is very much an “inside baseball” view. Modern OSes rely on a number of support components to deliver core functionality. The OS is more than the kernel, GUI, CLI and browser. From an end user perspective, all the OS-vendor shipped support components and utilities *are* the OS. It’s not a useful distinction from a User Experience perspective that the supplicant code is or is not written by the same company as the kernel (and I suspect often it is). It’s shipped as part of the product. The arguments about the differentiated policies for use of certificates and trust of CAs is probably technically sound. I think the notion that supplicant components can ship with a separate root CA store from that used for the browser is perhaps workable. However, it’s still the OS vendor that must include this configuration for it to “just work out o the box”. For that reason, I think the claim that it’s not the OS which must support the appropriate CAs is a distinction without a difference, and perhaps a red herring. Regards, Dave Nelson > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
