On 2019-11-12 7:15 a.m., Owen Friel (ofriel) wrote:
> This is also related to ongoing anima discussions about RFC 8366, and how it
> can bootstrap trust when the pinned domain cert is a public PKI CA, and not a
> private CA, and hence additional domain (or realm or FQDN) info is also
> needed
On 2019-11-12 3:53 p.m., Jan-Frederik Rieckers wrote:
> On 12.11.19 00:15, Owen Friel (ofriel) wrote:
>> One deployment consideration is if an operator wants to use a public PKI
>> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever,
>> before these extensions could be supp
On 12.11.19 10:28, Michael Richardson wrote:
> You were trying to do a CSR with some extra attributes with a CA (using
> ACME? Using LetsEncrypt?) and the CA ignored the things that it couldn't
> verify?
No, it was a direct request to the CA of our research network. The
problem here was, that the
On Nov 12, 2019, at 2:53 AM, Jan-Frederik Rieckers
wrote:
>
> Signed PGP part
> On 12.11.19 00:15, Owen Friel (ofriel) wrote:
>> One deployment consideration is if an operator wants to use a public PKI
>> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever,
>> before these
> On Nov 12, 2019, at 2:53 AM, Jan-Frederik Rieckers
> wrote:
>
> Signed PGP part
> On 12.11.19 00:15, Owen Friel (ofriel) wrote:
>> One deployment consideration is if an operator wants to use a public PKI
>> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever,
>> before
On Nov 12, 2019, at 11:43 AM, Russ Housley wrote:
>
> Can the extended key usage for EAP over a LAN ( id-kp-eapOverLAN ) solve this
> for you? It is defined in RFC 4334. A certificate for Web PKI should not
> include this extended key usage.
>
> RFC 4334 also offers a certificate extension t
How does a public CA prove ownership of an SSID?
From: Emu
Date: Tuesday, November 12, 2019 at 3:08 PM
To: Russ Housley
Cc: emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
On Nov 12, 2019, at 11:43 AM, Russ Housley wrote:
>
> Can the extended key usage for EAP ove
On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) wrote:
>
> How does a public CA prove ownership of an SSID?
Do public CAs *always* verify addresses and/or telephone numbers, which are
normally included in certificates?
Do public CAs verify that email addresses in the certificate work?
Regardless of validation levels, it is not possible to own an ESSID. It is
possible, however, to own a domain, email address, physical address, etc.
That's the difference.
Putting an ESSID in a certificate is a slippery slope. I doubt any public CA or
OS vendor would ever entertain this.
Tim
On Nov 12, 2019, at 6:59 PM, Cappalli, Tim (Aruba) wrote:
>
> Regardless of validation levels, it is not possible to own an ESSID. It is
> possible, however, to own a domain, email address, physical address, etc.
> That's the difference.
I think that's largely begging the question.
Your
10 matches
Mail list logo
