So you’re saying an NAIRealm must be a publicly registered domain name? I agree, but just want to be crystal clear.
tim From: Alan DeKok <[email protected]> Date: Monday, November 18, 2019 at 10:57 AM To: Cappalli, Tim (Aruba) <[email protected]> Cc: EMU WG <[email protected]> Subject: Re: [Emu] Best practices for supplicants and authenticators > On Nov 18, 2019, at 10:47 AM, Cappalli, Tim (Aruba) <[email protected]> wrote: > > Alan – Adding yet another OID and/or EKU to a certificate does not change the > fact that no authority can attest to that information. A public CA cannot > validate a ownership of an NAIRealm. That's not true. Public CAs validate ownership of domain names. The NAIRealm is a domain name. And, the NAIRealm is the *same* as the domain name in the certificate.. Which the CA validated. Unless you have a counter-argument, that discussion should be closed. > So while a supplicant could be configured to validate that the server’s > NAIRealm matches the local configuration, that doesn’t change the requirement > to manually configure the supplicant. I explained how it could simplify the supplicants configuration. > So what are we actually trying to improve here? See my previous messages for explanations. Alan DeKok.
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
