On May 19, 2021, at 8:37 AM, Oleg Pekar <[email protected]> wrote: > After thinking a bit more about it - for the sake of the client > implementation clarity, would it be better if we provide the strict algorithm > for server identity check or maybe reference RFC 6125.
Given the time frame and what we know, I think the existing text is OK. This is what wpa_supplicant does in it's implementation, and it seems to work fine. Apple appears to do the same thing: https://opensource.apple.com/source/eap8021x/eap8021x-264.30.3/EAP8021X.fproj/EAPTLSUtil.c.auto.html Look for "trusted_server_names", which leads to: https://opensource.apple.com/source/eap8021x/eap8021x-156/EAP8021X.fproj/EAPTLSUtil.c server_name_matches_server_names() Which checks if the name from the cert is an exact match for one of the "trusted_server_names", or contains "*." followed by a suffix which is one of the trusted server names. I think it's past the time where this document can ask supplicants to change their behavior. We know what the supplicants do, it's not wrong, and it seems to work. So let's document that, and move on. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
