Looks good to me. > -----Original Message----- > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 22, 2006 8:47 AM > To: Joseph Salowey (jsalowey); [email protected] > Subject: RE: [Emu] Review requested: draft-simon-emu-rfc2716bis-03.txt > > >The document should also state in the security > considerations section > >that the identity in the identity response is not > necessarily related > >to the identity authenticated in EAP-TLS and should not be > relied upon > >for any access control or accounting purposes. > > Here is some proposed new text for Section 2.4: > > "As noted in [RFC3748] Section 5.1: > > It is RECOMMENDED that the Identity Response be used primarily for > routing purposes and selecting which EAP method to use. EAP > Methods SHOULD include a method-specific mechanism for obtaining > the identity, so that they do not have to rely on the Identity > Response. > > As part of the TLS negotiation, the server presents a > certificate to the peer, and if mutual authentication is > requested, the peer presents a certificate to the server. > EAP-TLS therefore provides a mechanism for determining both > the peer identity (Peer-Id in [KEYFRAME]) and server identity > (Server-Id in [KEYFRAME]). > Since the identity presented in the Identity Response need > not be related to the identity presented in the peer > certificate, EAP-TLS implementations SHOULD NOT require that > they be identical, and SHOULD NOT use the identity presented > in the Identity Response for access control or accounting purposes." >
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
