On May 9, 2021, at 9:16 PM, Joseph Salowey <j...@salowey.net> wrote: > [Joe] This is a good question. There are multiple ways this could be > addressed. All servers should have one of their list of SANs that matches > the name used for EAP servers. Another option is for supplicants to allow > for the configuration of multiple certificates or allow for a wild card match.
FWIW, wpa_supplicant has a list of allowed host names for SAN. I don't think it allows wildcards. > How about this text addition: > > "EAP-TLS deployments will often use more than one EAP server. In this case > each EAP server may have a different certificate. To facilitate the SAN > matching, EAP Server certificates can include the same name in the list of > SANs for each certificate that represents the EAP-TLS servers. EAP-TLS peers > SHOULD allow for the configuration of multiple EAP server names since > deployments may choose to use multiple EAP servers each with their own > certificate." That's good. > [Joe] Is your comment about HA and the TOFU mechanism? I'm not really sure > how the TOFU mechanism is supposed to work and be secure. Perhaps we should > remove the TOFU mechanism text or state that it does not work well in all HA > configurations (where different servers use different certificates) Perhaps just state that it does not work well in HA configurations. I don't think TOFU can be secure here. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu