On Nov 19, 2019, at 10:43 AM, Jouni Malinen <j@xxxxx> wrote: > > id-kp-eapOverLAN sounds quite different compared to id-kp-serverAuth. Yes. It's intended for EAP, whereas id-kp-serverAuth is intended for web servers. :) > Most use cases for hostapd/wpa_supplicant would indeed be for EAPOL, but > the EAP implementation could be used for something else as well. Sure. There's PANA, among other things. > More > importantly, it is not immediately obvious that id-kp-eapOverLAN would > imply that the certificate belongs to an authentication server while > that part is obvious for id-kp-serverAuth. RFC 4334 does not seem to > cover that either since it is only stating that the certificate "is > appropriate for use by a peer". So that peer could be client device as > well? Possibly, if the OID is inside of a client cert. > Surely one client device should not trust an authentication server > that uses a certificate that was signed for client/user for EAP-TLS. That is true. I'll check for other ways to verify that a server certificate is being provided to the client. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
