Excellent! > -----Original Message----- > From: Ryan Hurst [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 12:32 PM > To: Joseph Salowey (jsalowey); Bernard Aboba; [email protected] > Subject: RE: [Emu] Issue: Validation of server certificates > in Section 5.3 ofRFC 2716bis > > The 4.2.2.1 reference is in support of "including the ability > to retrieve intermediate certificates that may be necessary > to validate"; this is particularly important in cases where a > server sends only its certificate, sends a incomplete chain > or sends a incorrect chain but the right leaf. > > Ryan > -----Original Message----- > From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 06, 2007 11:11 AM > To: Ryan Hurst; Bernard Aboba; [email protected] > Subject: RE: [Emu] Issue: Validation of server certificates in Section > 5.3 ofRFC 2716bis > > Looks fine to me. Any particular reason why we emphasize 4.2.2.1? > > Thanks, > > Joe > > > -----Original Message----- > > From: Ryan Hurst [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 05, 2007 9:45 PM > > To: Bernard Aboba; [email protected] > > Subject: RE: [Emu] Issue: Validation of server certificates > in Section > > 5.3 ofRFC 2716bis > > > > Yes, I noticed this recently too; I think thats a good addition. > > > > Ryan > > > > ________________________________ > > > > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > > Sent: Tue 6/5/2007 9:41 PM > > To: [email protected] > > Subject: [Emu] Issue: Validation of server certificates in > Section 5.3 > > of RFC 2716bis > > > > > > I was looking at Section 5.3 in RFC 2716bis, and I noticed > that while > > RFC 3280 conformant path validation is recommended for EAP-TLS > > servers, there is no such recommendation for EAP-TLS peers. This > > seems odd. > > > > For example, Section 5.3 states: > > > > Since the EAP-TLS server is typically connected to the > Internet, it > > SHOULD support validating the peer certificate using RFC 3280 > > [RFC3280] conformant path validation, including the ability to > > retrieve intermediate certificates that may be necessary to > > validate > > the peer certificate. For details, see [RFC3280] Section 4.2.2.1. > > > > There is no equivalent statement for EAP-TLS peers. > > > > I would propose the insert the following sentence in Section 5.3: > > > > The EAP-TLS peer SHOULD support validating > > the server certificate using RFC 3280 [RFC3280] conformant path > > validation. > > > > > > >
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
