Alan DeKok <[email protected]> wrote: > Not explicitly, but implicitly.
> I think the way out here is to not mandate the use of WebPKI. Instead,
> we can just say that the EAP certificate should be issues by the same
> (or equivalent CA) to the one which was used to provision the initial
> FIDO credentials.
> In practice, this means WebPKI most of the time. :)
Actually, that's a stronger statement anyway.
It means that the choice of CA has essentially been pinned, so you'd not be
vulnerable to attacks like ComonoGate.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
