On Wed, May 19, 2021 at 5:58 AM Alan DeKok <[email protected]> wrote:
> On May 19, 2021, at 8:37 AM, Oleg Pekar <[email protected]> wrote: > > After thinking a bit more about it - for the sake of the client > implementation clarity, would it be better if we provide the strict > algorithm for server identity check or maybe reference RFC 6125. > > Given the time frame and what we know, I think the existing text is OK. > > [Joe] In addition the intent of the text is to make implementers aware of the issues and provide some guidance as to how to solve the problem. I don't think we can dictate too much more at this point. We can have follow-on work to have a strict algorithm is depolyers and implementers feel it is necessary. > This is what wpa_supplicant does in it's implementation, and it seems to > work fine. Apple appears to do the same thing: > > > https://opensource.apple.com/source/eap8021x/eap8021x-264.30.3/EAP8021X.fproj/EAPTLSUtil.c.auto.html > > Look for "trusted_server_names", which leads to: > > > https://opensource.apple.com/source/eap8021x/eap8021x-156/EAP8021X.fproj/EAPTLSUtil.c > > server_name_matches_server_names() > > Which checks if the name from the cert is an exact match for one of the > "trusted_server_names", or contains "*." followed by a suffix which is one > of the trusted server names. > > I think it's past the time where this document can ask supplicants to > change their behavior. We know what the supplicants do, it's not wrong, > and it seems to work. So let's document that, and move on. > > Alan DeKok. > >
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
