On Nov 12, 2019, at 6:59 PM, Cappalli, Tim (Aruba) <[email protected]> wrote: > > Regardless of validation levels, it is not possible to own an ESSID. It is > possible, however, to own a domain, email address, physical address, etc. > That's the difference.
I think that's largely begging the question. Your comment seems to be that it's OK for a certificate to include incorrect a physical address, because that address is "owned" by someone. Even if the owner of that address knows nothing about the certificate request. I don't see how that's useful. Which is why I asked about validation. If the CA doesn't validate addresses, why should it validate SSIDs? Even worse, the CAs verify *control* of domain names. They don't verify *ownership* of the domain name. They're not quite the same thing. Is the person requesting the certificate the "owner" of the domain name? If not, is the certificate request authorized by the owner? None of this is checked by CAs right now. > Putting an ESSID in a certificate is a slippery slope. I doubt any public CA > or OS vendor would ever entertain this. Both are well known to do "surprising" things with certificates. I'm not sure why they would care about additional fields in a certificate. My point is that we have loose rules around the subjects of "ownership" and "validation". Simplistic statements are easy to make, but aren't particularly helpful. In my view, if something is useful, practical and can be shown to be not harmful, then I think it can be used. Putting SSIDs into a certificate seems useful, and (at least) the PKIX WG seemed to have agreed. Further, RFC 4334 in fact contains no text about "ownership" of the SSID. i.e. inclusion of an SSID in a certificate is *not* a statement about "ownership" of that SSID. So your comments seem to be against an issue that doesn't exist. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
