On Nov 19, 2019, at 10:43 AM, Jouni Malinen <j@xxxxx> wrote: > More > importantly, it is not immediately obvious that id-kp-eapOverLAN would > imply that the certificate belongs to an authentication server while > that part is obvious for id-kp-serverAuth. RFC 4334 does not seem to > cover that either since it is only stating that the certificate "is > appropriate for use by a peer". So that peer could be client device as > well? Surely one client device should not trust an authentication server > that uses a certificate that was signed for client/user for EAP-TLS. Looking into it a little more, client certs in EAP typically use id-kp-clientAuth to signify that they are client certs. But yes, it looks like EAPoL should have separate OIDs for client / server usage. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
