> On Sep 17, 2024, at 1:58 PM, Vladimir Dzhuvinov <vladi...@connect2id.com>
> wrote:
>
> I frankly don't see how the central premise of PIKA - the reliance on a TLS
> web domain certificate - can be made to work in practice.
>
>
>
> Reasons: Infrastructure in the real world, mixing of concerns, conflict with
> CA policies and CAB Forum requirements, NIST etc guidance compliance issues.
>
I agree with Vladimir unfortunately.
A certificate is a bundle of restrictions, but the two most critical are on
subject name and purpose. This reuses a certificate meant to secure network
traffic with a particular DNS name to one securing arbitrary application
messages from a particular origin.
This would not only break a lot of organizational security policies (and
potentially conflict with how they deploy their network infrastructure), but
ignores CA policy that is baked into the TLS certificate.
-DW
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
