Multiple CAs

[Alan DeKok]

On Oct 4, 2017, at 9:23 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
> It's two different AD solutions - the traditional on-premises AD and a new cloud-hosted Azure AD. I don't see why they can't have the same CA, but the people responsible for this new hybrid solution disagree. User systems are split between the two ADs.

  The CA is just a blob of data.  There's no reason they can't use the same CA in two places.  Many other people do it.

> Alas, all these systems have the same anonymous outer realm in the outer identity and from what I can see, no other distinguishing attributes that I could use to filter on.

  That's just dumb...

> Sadly not. There are two types of end user system out in the wild and they have either one CA or the other. They are managed differently but they all use the same realm.
> 
> Thanks for confirming my beliefs. I'll go back to management and tell them the author of the RFCs says their design won't work.

  Yup.  They can't work around the limitations of EAP and TLS.  No matter what kind of ideas they have, reality is more important.

  Alan DeKok.