https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/86
I didn't see anything on cross-protocol use of certs. i.e. Section 2.2 suggests that the certs contain an FQDN. But it's likely bad practice to allow the same cert to be used for EAP, and for WWW. There's some suggested text forbidding this behavior. I would have expected similar text to be part of RFC 8446, but I couldn't find anything relevant. --- 5.11 Certificate Reuse Certificates used for EAP-TLS MUST NOT be used in any other protocol besides EAP. Section 2.2 above suggests that certificates typically have one or more FQDNs in the SAN extension. However, those fields are for EAP validation only, and do not indicate that the certificates are suitable for use on WWW (or other) protocol server on the named host. Allowing the same certificate to be used in multiple protocols would possibly allow for an attacker to authenticate via one protocol, and then "resume" that session in another protocol. Section 5.7 above suggests that authorization rules should be re-applied on resumption, but does not mandate this behavior. As a result, this cross-protocol resumption could allow the attacker to bypass authorization policies, and toobtain undesired access to secured systems. The simplest way to prevent this attack is to forbid the use of the same certificate across multiple protocols. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
