Sam,
>To support all the options that libeap supports, an ID card may contain
>zero or more of:
>
>1) a CA certificate
>2) a server certificate hash
>3) constraints on subject name
>4) constraints on subject alternative name
>
>2 is exclusive with options 1, 3 and 4.
>
>However, it's not really clear to me what we do from a usability
>standpoint.
I believe option (2) is best. It's plays nicely with both Enterprise
identity provisioning (which could include the hash) and leap-of-faith,
and avoids a heap of PKI complexity.
In the long run, we should aim to support RFC6124 or similar. Only a few
more days until the US patent expires :-)
Josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
|