On Tue, Jan 7, 2020 at 9:00 PM Alan DeKok wrote:
> > The question posed in that original message is what to do with extant
> certificates and extant practices, such as going to CAs used for TLS and
> asking for an id-kp-serverAuth cert, or supplicants looking for
> id-kp-serverAuth, and whether t
Hi Ryan,
This topic seems like a good one to just get on the phone and sort through, but
I have one question:
On 8 Jan 2020, at 09:11, Ryan Sleevi
mailto:ryan-i...@sleevi.com>> wrote:
However, if using the same set or CAs that popular OSes use for TLS, it does
mean that these CAs, and their c
On Wed, Jan 8, 2020 at 5:00 AM Eliot Lear (elear) wrote:
> Hi Ryan,
>
> This topic seems like a good one to just get on the phone and sort
> through, but I have one question:
>
> On 8 Jan 2020, at 09:11, Ryan Sleevi wrote:
>
> However, if using the same set or CAs that popular OSes use for TLS,
Thanks, Ryan. After I sent the note I thought about document signing. Our
SUDI model at Cisco I view as somewhat different, but may be closer to apt to
EAP anyway, so worth discussing.
Eliot
On 8 Jan 2020, at 12:26, Ryan Sleevi
mailto:ryan-i...@sleevi.com>> wrote:
On Wed, Jan 8, 2020 at 5
Mohit Sethi has requested publication of draft-ietf-emu-eap-session-id-02 as
Proposed Standard on behalf of the EMU working group.
Please verify the document's state at
https://datatracker.ietf.org/doc/draft-ietf-emu-eap-session-id/
___
Emu mailing li
On Jan 8, 2020, at 3:11 AM, Ryan Sleevi wrote:
> However, if using the same set or CAs that popular OSes use for TLS, it does
> mean that these CAs, and their customers, will still be subject to the same
> agility requirements, and limited to the same profile as TLS. Because of
> this, there’s
On Wed, Jan 8, 2020 at 8:14 AM Alan DeKok wrote:
> Except, of course, CAs don't really have a process to issue certs with
> distinct EKUs. So they're impossible to get in practice.
>
I'm not sure what your data to support this is, but this does not match the
commercial space. While I think we
To clarify. we agree on the following:
* id-kp-serverAuth is wrong to use for EAP
* we should use something else, whatever that is
The rest of the disagreement is (from what I see), bringing up situations or
use-cases which are unrelated to EAP, and therefore confusing the issue.
On Jan 8,
On Wed, Jan 8, 2020 at 10:38 AM Alan DeKok
wrote:
> The rest of the disagreement is (from what I see), bringing up
> situations or use-cases which are unrelated to EAP, and therefore confusing
> the issue.
>
They're related to the proposal that started this thread, which I'm trying
to focus th
On Jan 8, 2020, at 11:29 AM, Ryan Sleevi wrote:
> On Wed, Jan 8, 2020 at 10:38 AM Alan DeKok wrote:
> The rest of the disagreement is (from what I see), bringing up situations
> or use-cases which are unrelated to EAP, and therefore confusing the issue.
>
> They're related to the proposal tha
Alan DeKok wrote:
alan> Many people use private CAs. Many use public CAs. *All* of them
alan> use id-kp-serverAuth. Common EAP supplicants (MS / Apple / etc.)
alan> ship with known root CAs. These root CAs are trusted by default
alan> for web browsing. None are trusted by def
On Jan 8, 2020, at 3:00 PM, Michael Richardson wrote:
>
>
> Alan DeKok wrote:
>alan> Many people use private CAs. Many use public CAs. *All* of them
>alan> use id-kp-serverAuth. Common EAP supplicants (MS / Apple / etc.)
>alan> ship with known root CAs. These root CAs are truste
12 matches
Mail list logo
