On Apr 11, 2021, at 11:19 PM, Joseph Salowey <[email protected]> wrote: > 2. CAs MAY issue certs to EAP Servers that specify the id-kp-eapOverLAN EKU > specified in RFC 3770. EAP TLS peer implementations SHOULD allow for the > configuration to require the id-kp-eapOverLAN EKU for validation of EAP > server certificates.
Just one final note on id-kp-eapOverLAN. RFC 3770 describes that as being used for client certs. If we allow it for server certs, then how can we tell them apart? i.e. a client could take it's cert, set itself up as a WiFi hotspot, and no *other* client could tell the difference between the "fake" server cert, and a real one. As a result, it looks like id-kp-eapOverLAN is not appropriate for server certs. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
