Alan's review made the following comments: > Section 2.2 has substantial new text which was not previously discussed on the WG mailing list.
> The EAP server identity in the TLS server certificate is typically a > fully qualified domain name (FQDN). EAP peer implementations SHOULD > allow users to configuring a unique trust root (CA certificate) and a > server name to authenticate the server certificate and match the > subjectAlternativeName (SAN) extension in the server certificate with > the configured server name. > Comment: How does this text related to RFC 5216 Section 5.2 ? There seems to be substantial overlap. > What does this text add to / change from RFC 5216 Section 5.2 ? [Joe] It was brought up in discussions that RFC 5216 does not sufficiently describe how to validate the identity in the certificate. > Requiring a supplicant to be configured with a peer name is a new requirement from RFC 5216, and isn't called out as such. [Joe] This can be called out in this section > What happens in a high availability (HA) environment? Are all of the EAP servers required to have the same FQDN? [Joe] This is a good question. There are multiple ways this could be addressed. All servers should have one of their list of SANs that matches the name used for EAP servers. Another option is for supplicants to allow for the configuration of multiple certificates or allow for a wild card match. How about this text addition: "EAP-TLS deployments will often use more than one EAP server. In this case each EAP server may have a different certificate. To facilitate the SAN matching, EAP Server certificates can include the same name in the list of SANs for each certificate that represents the EAP-TLS servers. EAP-TLS peers SHOULD allow for the configuration of multiple EAP server names since deployments may choose to use multiple EAP servers each with their own certificate." > While this text is intended to increase security, there are implementation and operational considerations which need addressing. > In the absence of a user-configured root > CA certificate, > Comment: I'm not sure what that means. It seems to assume certain things without explaining them. [Joe] This text doesn't seem to add much. I'd suggest removing that sentence. > The process of configuring a root CA certificate and a server name is > non-trivial and therefore automated methods of provisioning are > RECOMMENDED. For example, the eduroam federation [RFC7593] provides > a Configuration Assistant Tool (CAT) to automate the configuration > process. In the absence of a trusted root CA certificate (user > configured or system-wide), EAP peers MAY implement a trust on first > use (TOFU) mechanism where the peer trusts and stores the server > certificate during the first connection attempt. The EAP peer > ensures that the server presents the same stored certificate on > subsequent interactions. Use of TOFU mechanism does not allow for > the server certificate to change without out-of-band validation of > the certificate and is therefore not suitable for many deployments. > i.e. when there's an HA configuration. [Joe] Is your comment about HA and the TOFU mechanism? I'm not really sure how the TOFU mechanism is supposed to work and be secure. Perhaps we should remove the TOFU mechanism text or state that it does not work well in all HA configurations (where different servers use different certificates)
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
