Re: Last Call: Wireless LAN Certificate Extensions and Attributes to Proposed Standard

[Stephen Kent <kent@xxxxxxx>]

Thomas,

I think you have raised some good points re the proposed extension 
for wireless LANs, but I strongly disagree with the following 
suggestion:

> (A better goal would be to achieve the scenario where one
> client-certificate can be accepted by multiple W-ISPs, regardless of
> which SSID is being used in a given HotSpot.  For this to happen,
> a common Root CA for inter-WISP roaming is needed.  However, this is
> something that maybe beyond the IETF.)

I can see why VeriSign might think this is a "better goal," since VS 
might want to serve as a Root CA here just as is does for browsers. 
However, I would not agree that it is a better goal in a broader 
community sense.  We have enough experience with the pitfalls of this 
sort of PKI model in the browser world. Let's not suggest that it be 
repeated in the wireless LAN authentication context too.

Steve