Ryan Sleevi <ryan-i...@sleevi.com> wrote:
> While I think people are missing the forest for the tree, here's an
> example CP/CPS from a CA:
>
https://www.certsign.ro/media/document/ZytpRDNNUTFHR01Ra2MxVUx4REdQZz09/original/CPS%20OV%20SSL_v%201.10_April%202019.pdf
certsign.ro uses a Fortinet.com certificate on their SMTP server.
Does Fortinet.com's CSP permit SMTP usage?
The certificate does not have the serverAuth bit set.
> Customer will only use a TLS/SSL Certificate on the servers
> accessible at the domain names listed in the issued Certificate
> Remind me how an EAP-TLS/RADIUS server is accessible at that domain
> name? And if someone points their domain name to my server, would that
> require revocation?
"accessible" is not defined. maybe CAFORUM needs to write port 443 from now on?
If you were part of eduroam, and you uses ryan-i...@sleevi.com as your
identity, then the roaming mechanism would connect eventually to your Radius
server using that name. Thus, it is accessible.
Your gear analogy is understood, but for many of us, we see the specs as
having been designed by lawyers rather than engineers in order to maximize
profit and minimize interoperability. I'm not arguing we are right.
It just feels like needless and wastefully restrictive attempts to create
market verticals.
> In the specific context of thinking about "#2" - what a touch-free
> future looks like - having it use the same root store as Web browsers
> is the anti-pattern, because the requirements are different.
And yet, almost every single thing out there would like to be connected to by a
browser.
They can't, so we have an app-per-thing, and/or no-security.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
