Alan DeKok <al...@deployingradius.com> wrote:
> Not explicitly, but implicitly.
> I think the way out here is to not mandate the use of WebPKI. Instead,
> we can just say that the EAP certificate should be issues by the same
> (or equivalent CA) to the one which was used to provision the initial
> FIDO credentials.
> In practice, this means WebPKI most of the time. :)
Actually, that's a stronger statement anyway.
It means that the choice of CA has essentially been pinned, so you'd not be
vulnerable to attacks like ComonoGate.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
