Alan DeKok <al...@deployingradius.com> wrote: > Not explicitly, but implicitly.
> I think the way out here is to not mandate the use of WebPKI. Instead, > we can just say that the EAP certificate should be issues by the same > (or equivalent CA) to the one which was used to provision the initial > FIDO credentials. > In practice, this means WebPKI most of the time. :) Actually, that's a stronger statement anyway. It means that the choice of CA has essentially been pinned, so you'd not be vulnerable to attacks like ComonoGate. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu