Honestly, no information in an EAP server certificate is good enough for a user to make a "walk up" informed decision. If the supplicant is not properly pre-configured, all bets are off. TOFU is not acceptable.
At least requiring an EAP-specific EKU or OID would require operating systems to separate out the EAP trust store. TLS Web Server Certificate should not be acceptable for EAP. tim ________________________________ From: Emu <[email protected]> on behalf of Alan DeKok <[email protected]> Sent: Wednesday, April 14, 2021 07:23 To: Michael Richardson <[email protected]> Cc: EMU WG <[email protected]> Subject: Re: [Emu] Issue 47 Certificate identity checks On Apr 13, 2021, at 8:17 PM, Michael Richardson <[email protected]> wrote: > Why did you need the HTTPS server cert? > Did you need the OIDs, and stuff out of it? Why wasn't the realm name enough > to make the imposter cert from the non-authorized CA? > > I'm just trying to understand how the HTTPS cert is involved here. The HTTPS cert contains a wealth of information which makes it look "real" to the average person. All of that information can be cloned into the imposter cert. So the only differences between the imposter cert and real one are (a) signing CA, and (b) key data that most people don't understand. What any mere mortal looking at the imposter cert will see "Yup, it has the right addresses, phone numbers, names, etc.". For all intents and purposes, it appears to be real. This imposter process worked better years ago when supplicants would show the entire cert to the user. Now, many don't even do that. Some just show a fingerprint in a pop-up dialog, and ask the user "is this OK?". How that's useful to anyone is beyond me. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C03fdb74ac18749ebdc6608d8ff37c2da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637539962261663872%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=boROVAFgSky1v93Iu1jzrthBVbvAhNgKa5TVZ9h0zQA%3D&reserved=0
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
