EAP-TLS Certificate Validation
- From: wauger@xxxxxxxxx
- Date: 17 Nov 2006 09:23:43 -0800
A colleague posed a question to me and I wanted to the consortium
expert opinion before I respond. Within EAP-TLS the user and the server
are required to both possess a certificate. Must those certificates be
issued by the same PKI chain (CA and subordinates) in order for EAP-TLS
to authenticate successfully? Let me see if I can further clarify the
questions.
The EAP-TLS Server (authenticator) has a server certificate with the
following chain:
Root CA1 --> Subordinate CA1 --> Server Certificate
The EAP-TLS Client (supplicant) has a user certificate with the
following chain:
Root CA2 --> Subordinate CA2 --> User Certificate
The EAP-TLS server TRUSTS multiple CA's including "Root CA2". Likewise
the client's trusted CA store contains "Root CA1". Obviously each
end-point implicitly trusts its own issuing authority.
Does this mean that even though the server certificate is not issued by
the same chain as the user certificate that authentication will be
successful because each end-point trusts the other's authorities? Or is
it a requirement that the certificates used in the EAP-TLS exchange be
issued by the same authorities?
I have my opinion after researching the RFC. But I wanted to see if
anyone has a definitive response.
Any help would be much appreciated. Thanks
.
- Follow-Ups:
- Re: EAP-TLS Certificate Validation
- From: Peter Boosten
- Re: EAP-TLS Certificate Validation
- Prev by Date: Re: RADIUS servers
- Next by Date: Re: EAP-TLS Certificate Validation
- Previous by thread: RADIUS servers
- Next by thread: Re: EAP-TLS Certificate Validation
- Index(es):
Relevant Pages
|
