Pinning the server certificate is unrealistic. A properly configured supplicant with a trusted private root and subject match is adequate and allows good security hygiene with server cert rotation.
I believe the id-kp-eapOverLAN EKU should be a MUST. Public CAs should not be issuing server certificates for EAP in the first place. I feel like this debate comes up every few years. Any public CA-signed TLS web server certificate that is used for EAP can be requested to be revoked for misuse. If an organization cannot ensure proper configuration of a supplicant, they should not be using EAP. tim ________________________________ From: Emu <[email protected]> on behalf of Eliot Lear <[email protected]> Sent: Monday, April 12, 2021 14:07 To: Alan DeKok <[email protected]> Cc: EMU WG <[email protected]> Subject: Re: [Emu] Issue 47 Certificate identity checks > On 12 Apr 2021, at 19:54, Alan DeKok <[email protected]> wrote: > > On Apr 12, 2021, at 12:22 PM, Joseph Salowey <[email protected]> wrote: >> [Joe] without some sort of name matching using certs from a public CA is >> unwise. > > The only other alternative is to "pin" the server cert. Many systems > support this. Perhaps mentioning [Trust On] First Use (TOFU) would help here. > That won’t work for headless wireless. Yes, we have kicked that hornet’s nest. I hope everyone is wearing appropriate netting. Eliot
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
