On Mon, Nov 18, 2019 at 08:48:45AM -0500, Alan DeKok wrote: > Based on discussions in the IETF EMU working group. Apparently there's a 13 year-old RFC which defines an OID to indicate that certificates can be used for EAPoL. > > I've attached minor patches which allow this in addition to the existing id-kp-serverAuth OID. > > I've updated the FreeRADIUS certificate generation scripts, too. They now allow and document the id-kp-eapOverLAN OID. > > This change will not affect any existing implementations. But it will make hostap / wpa_supplicant more flexible in the face of future standards work. id-kp-eapOverLAN sounds quite different compared to id-kp-serverAuth. Most use cases for hostapd/wpa_supplicant would indeed be for EAPOL, but the EAP implementation could be used for something else as well. More importantly, it is not immediately obvious that id-kp-eapOverLAN would imply that the certificate belongs to an authentication server while that part is obvious for id-kp-serverAuth. RFC 4334 does not seem to cover that either since it is only stating that the certificate "is appropriate for use by a peer". So that peer could be client device as well? Surely one client device should not trust an authentication server that uses a certificate that was signed for client/user for EAP-TLS. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
