On 12.11.19 10:28, Michael Richardson wrote:
> You were trying to do a CSR with some extra attributes with a CA (using
> ACME? Using LetsEncrypt?) and the CA ignored the things that it couldn't
> verify?
No, it was a direct request to the CA of our research network. The
problem here was, that the
On 2019-11-12 3:53 p.m., Jan-Frederik Rieckers wrote:
> On 12.11.19 00:15, Owen Friel (ofriel) wrote:
>> One deployment consideration is if an operator wants to use a public PKI
>> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever,
>> before these extensions could be
On 2019-11-12 7:15 a.m., Owen Friel (ofriel) wrote:
> This is also related to ongoing anima discussions about RFC 8366, and how it
> can bootstrap trust when the pinned domain cert is a public PKI CA, and not a
> private CA, and hence additional domain (or realm or FQDN) info is also
> needed
On Nov 12, 2019, at 11:43 AM, Russ Housley wrote:
>
> Can the extended key usage for EAP over a LAN ( id-kp-eapOverLAN ) solve this
> for you? It is defined in RFC 4334. A certificate for Web PKI should not
> include this extended key usage.
>
> RFC 4334 also offers a certificate extension
How does a public CA prove ownership of an SSID?
From: Emu
Date: Tuesday, November 12, 2019 at 3:08 PM
To: Russ Housley
Cc: emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
On Nov 12, 2019, at 11:43 AM, Russ Housley wrote:
>
> Can the extended key usage for EAP
On Nov 12, 2019, at 2:53 AM, Jan-Frederik Rieckers
wrote:
>
> Signed PGP part
> On 12.11.19 00:15, Owen Friel (ofriel) wrote:
>> One deployment consideration is if an operator wants to use a public PKI
>> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever,
>> before
> On Nov 12, 2019, at 2:53 AM, Jan-Frederik Rieckers
> wrote:
>
> Signed PGP part
> On 12.11.19 00:15, Owen Friel (ofriel) wrote:
>> One deployment consideration is if an operator wants to use a public PKI
>> (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever,
>>
Regardless of validation levels, it is not possible to own an ESSID. It is
possible, however, to own a domain, email address, physical address, etc.
That's the difference.
Putting an ESSID in a certificate is a slippery slope. I doubt any public CA or
OS vendor would ever entertain this.
Tim
On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) wrote:
>
> How does a public CA prove ownership of an SSID?
Do public CAs *always* verify addresses and/or telephone numbers, which are
normally included in certificates?
Do public CAs verify that email addresses in the certificate work?
On Nov 12, 2019, at 6:59 PM, Cappalli, Tim (Aruba) wrote:
>
> Regardless of validation levels, it is not possible to own an ESSID. It is
> possible, however, to own a domain, email address, physical address, etc.
> That's the difference.
I think that's largely begging the question.
Your
10 matches
Mail list logo
