Of course the MAC address is trivially forged. That is the function of the certificate. MAC address XXXXX is not very interesting MAC address that party purporting to be CISCO says is XXXXX is quite a bit more interesting MAC address that party validated as CISCO as XXXXX is more interesting still. Now this is not getting us to a point where nobody can possibly break the system. But we have got to a point where the expected losses are a couple orders of magnitude lower than we can expect through current approaches. On the issues involved using client certificates for wireless access, I agree that the current practice falls far short of what is acceptable. That is the reason why I think it would be helpful for the IETF to spend some time eating the dog food (even if a different brand, we can do better). Now in theory, this is a problem that PKI should make easier to solve. But instead it seems that it gives people too much scope to create incompatible variations. The simplest, cleanest solution to this problem is to either have a device cert installed during manufacture or to employ my alternative scheme designed for low performance devices that does not require them to perform public key cryptography on the end point device (patent pending, all rights reserved). I do not see the value of client certificates for this type of network access. They work in the enterprise context as the selection of the certificate is unambiguous. But here we have a situation where we are not really looking to become part of the IETF network specifically, we just want a uniform identifier. I would prefer to use client certs for VPN layer security and a device cert for WiFi authentication. The user is not a device, conflating the two is bad. By a device cert, I mean an authentication credential that permits authentication of the device without disclosure of the authentication secret, is linked to a globally unique identifier and never expires. The simplest solution for this in my view would be for everyone to independently generate a self-signed cert and use the fingerprint to mediate access. They can then in theory use the same cert in any similar environment. One (yucky) way we could do this is to each enter the fingerprint of the cert(s) for each device when we register. A much better way to achieve the same effect would be to configure the network so that any computer that presents any certificate can access the network registration page (just like in a hotel network) but leaving that area is only possible after the user has authenticated and the fingerprint of the cert is entered into the auth database. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf