The document should also state in the security considerations section that the identity in the identity response is not necessarily related to the identity authenticated in EAP-TLS and should not be relied upon for any access control or accounting purposes.
Here is some proposed new text for Section 2.4: "As noted in [RFC3748] Section 5.1: It is RECOMMENDED that the Identity Response be used primarily for routing purposes and selecting which EAP method to use. EAP Methods SHOULD include a method-specific mechanism for obtaining the identity, so that they do not have to rely on the Identity Response. As part of the TLS negotiation, the server presents a certificate to the peer, and if mutual authentication is requested, the peer presents a certificate to the server. EAP-TLS therefore provides a mechanism for determining both the peer identity (Peer-Id in [KEYFRAME]) and server identity (Server-Id in [KEYFRAME]). Since the identity presented in the Identity Response need not be related to the identity presented in the peer certificate, EAP-TLS implementations SHOULD NOT require that they be identical, and SHOULD NOT use the identity presented in the Identity Response for access control or accounting purposes." _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
