Alan DeKok <al...@deployingradius.com> wrote:
> * CAs should validate (somehow) any CSR they receive, to check that the
> contents are reasonableI guess this is the new section 3.2.8. There are quite a number of subtlies here. First, the CSR is not really that complex :-) more importantly, there are not really any standard ways to communicate with CAs about exceptions, about things that in the CSR that need to be added or ignored. The CAs do what they want, and the TEAP/EAP-peer is pretty much left with, either fail the CSR after examining it, or just trust. Or use an integrated CA or a proprietary API. Frankly, this is what I recommend: run your own CA. Probably some reference to the 4.2.18. CSR-Attributes TLV section. And I see that you have dealt with the Base64 goof (RFC8951), and the new format. I would welcome your comments on the latest document, and to David van Oheim's proposal that is coming up in some slides at the next meeting. TEAP is likely a good greenfield for his simplified view.
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
