On 28 Jun 2018, at 16:48, d tbsky <tbskyd@gmail.com> wrote:
1. is the "xp" extensions means windows xp or something?
They were introduced with Windows XP.
2. is xp extensions only useful if we want client to verify server certificate?
No, the Windows supplicant will flat out not work without the OIDs being present.
3. if we use certificate like let's encrypt without xp extensions. what function do we miss? I know it is not very secure to use public CA, but it seems easier when deal with mobile devices bring by users. they just want to access wifi with their active directory username/password.
Don't do this - it's insecure if you allow users to use TOFU with a public CA, and has no advantage over a private CA from a UX perspective. Users will still be prompted to accept the certificate manually even if you obtain it from a public CA. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.