Hi Bernard, Thanks for the update. I'd like to have some discussion on section 2.4 - Identity verification. Currently the section states that the peer identity is obtained from the subjectAltName in the certificate. Is this text meant to be normative? Currently there are implementations that use elements of the subject distinguished name and do not provide a subjectAltName.
Perhaps it would be better to say the subjectAltName is used if it is present and if it is not then the subject distinguished name is used. However it seems that RFC3280 might indicate that it would be better to use subject distinguished name if it is present and subjectAltName if not. This section should reference RFC3280. Also is there any reason why mapping using a directory service is called out, isn't just mapping to a Peer-ID or Server-ID sufficient? It would may also be good to say that an EAP-TLS implementation MAY make other certificate fields available to the lower layer. The document should also state in the security considerations section that the identity in the identity response is not necessarily related to the identity authenticated in EAP-TLS and should not be relied upon for any access control or accounting purposes. Joe > -----Original Message----- > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 17, 2006 6:57 PM > To: [email protected] > Subject: [Emu] Review requested: draft-simon-emu-rfc2716bis-03.txt > > I have updated RFC 2716bis with a list of changes, added a > section on privacy, rewritten the key hierarchy section to > utilize modern terminology (MSK, EMSK), and updated the > security considerations section. > > The updated document is available here: > http://www.ietf.org/internet-drafts/draft-simon-emu-rfc2716bis-03.txt > > Comments welcome. > > > > _______________________________________________ > Emu mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
