> From: Alan DeKok <al...@deployingradius.com> > On Oct 24, 2023, at 8:56 AM, josh.howl...@gmail.com wrote: > > To be clear, what I mean is whether there is another IETF protocol that > > *mandates* the use of WebPKI? > > All of them. > > Not explicitly, but implicitly. > > I think the way out here is to not mandate the use of WebPKI. Instead, we > can just say that the EAP certificate should be issues by the same (or > equivalent CA) to the one which was used to provision the initial FIDO > credentials.
That is an interesting idea, but it might be tricky for the supplicant to validate because provisioning is performed through a browser? Jan-Fred and I have previously discussed the option of provisioning the supplicant (through the browser) with a credential for the server at the time of initial PIDO provisioning. This was also looking tricky, but I think the idea also has merit. Josh _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu