I have a question that is somewhat related (at least what I think:)) In the privacy section (2.7) it is stated that when a peer that supports privacy receives a subsequent certificate_request from the server (after the server have received a list with no certs), the peer MUST provide a cert list containing at least one entry in its response to the server. What would the subject name in that entry be, if the peer intends to protect its identity? Is there a part of the draft that explains this and I missed?
Thanks, Madjid -----Original Message----- From: Bernard Aboba [mailto:[EMAIL PROTECTED] Sent: Sunday, October 22, 2006 8:47 AM To: [EMAIL PROTECTED]; [email protected] Subject: RE: [Emu] Review requested: draft-simon-emu-rfc2716bis-03.txt >The document should also state in the security considerations section >that the identity in the identity response is not necessarily related to >the identity authenticated in EAP-TLS and should not be relied upon for >any access control or accounting purposes. Here is some proposed new text for Section 2.4: "As noted in [RFC3748] Section 5.1: It is RECOMMENDED that the Identity Response be used primarily for routing purposes and selecting which EAP method to use. EAP Methods SHOULD include a method-specific mechanism for obtaining the identity, so that they do not have to rely on the Identity Response. As part of the TLS negotiation, the server presents a certificate to the peer, and if mutual authentication is requested, the peer presents a certificate to the server. EAP-TLS therefore provides a mechanism for determining both the peer identity (Peer-Id in [KEYFRAME]) and server identity (Server-Id in [KEYFRAME]). Since the identity presented in the Identity Response need not be related to the identity presented in the peer certificate, EAP-TLS implementations SHOULD NOT require that they be identical, and SHOULD NOT use the identity presented in the Identity Response for access control or accounting purposes." _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
