Hi, Thank you for your feedback. I was unaware of RFC 7585. I had a brief look on it and it seems that the certificate part could be used for the goal I try to achieve.
I'm not quite sure if the naiRealm should be used for validation on supplicants for EAP-TLS. I would assume it would not be a security issue, but I don't have enough experience to be sure about that. The main reason why I submitted this draft is my experience from the deployment of eduroam at University Bremen. With expiry of the used root CA and the needed migration, we have forced all our users to use one specific outer Identity, to be sure the users configure their devices with the eduroam Configuration Assistant Tool (CAT, cat.eduroam.org) instead of a manual configuration, because in our experience manual configured devices almost always lacked configuration for certificate checking. But I just have experience in local deployment, the federation connections are done at higher levels (country research networks), I don't have an insight there. Greetings, Jan-Frederik Rieckers
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
