> How about rephrasing the text to something like this? > > Since the identity presented in the Identity Response need not be > related to the identity presented in the peer certificate, EAP-TLS > implementations SHOULD NOT require that they be identical. > However, if they are not identical, the identity presented in the > Identity Response is unauthenticated information, and SHOULD NOT be > used for access control or accounting purposes.
Looks good. > I'm aware that some implementations do this, but the document should > explain the security implications better. If you compare the name in > the certificate with the expected server name, an attacker fool you if > he breaks into that server and steals its private key. If you don't > check the name, the attacker can steal a private key corresponding to > any certificate issued by your trusted CA (which in case of large CA > could be millions of potential points of failure). OK. _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
