On Jan 18, 2020, at 2:20 AM, Ryan Sleevi <ryan-i...@sleevi.com> wrote: > > Or... just stop using those certs/roots already? We’ve already identified > that there is absolutely zero reason to do so in the extant status quo, > because it still requires manual configuration.
... for EAP. And only for EAP. That comment doesn't apply to SMTP, XMPP, IMAP, DNS over TLS, VPNs, RADIUS over TLS, etc.. SMTP servers mis-use "WWW" certificates precisely *because* it requires zero client configuration. It leverages an existing trust store to increase security. And that's a good thing. As noted by Michael, CAs are using certificates in a way that violates their own policy. The mis-use problem is therefore larger, and worse, than the minor issue of EAP *sometimes* using WWW certs. My previous messages explained that the common practice for EAP is to use private CAs. For the reasons you outlined above, and more. Pretty much everyone in the EAP community was convinced of this 15+ years ago. It has been standard / recommended practices for 15+ years. Finally, there are reasons to use public CAs for EAP. I have customers who do this today, for internal corporate policy reasons. I've recommended that they don't do it, but their internal "security" team over-rules me. The rest of your comments are trying to convince people of things that they're already convinced of. We already know this, we already agree (mostly). The disagreement is this: your underlying assumption is that these are the rules, and they have to be followed. I believe that this is the IETF, and that we make the rules. If we need to change the rules, then we just do so. And the Internet community has to follow. There are details as to which rules apply where, and to who. But as the IETF, we are entirely within our purview to allow the use of id-kp-serverAuth in EAP, SMTP, etc.. Or, to come up with a new scheme that replaces id-kp-serverAuth. If the rules have to be applied strictly, then you have been made aware that the CAs you pointed to are violating their own policies. Therefore, you are under a moral obligation to report this mis-use to them. Failure to do so is a tacit admission that you are not applying the rules in practice. While at the same time, claiming that the rules have to be stringently followed. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu