On Tue, 25 May 2021 at 07:45, Joseph Salowey <[email protected]> wrote:
> I made some changes to the pull request to address some of the comments > and make the text clearer: > One note about the TOFU mechanism: What we've seen is that certificate renewal also triggers server certificate re-trust query/prompt/other action. That is, even if the issuing CA, public key and subject/SAN names remain the same, the certificate is deemed as changed by the EAP peer. In other words, if only validity dates have changed in the certified information, users a prompted again. Should TOFU defined more closely in a future document, it could be beneficial to give guidance which changes are accepted without validation. One option is to not allow any changes, but allowing some renewals to be accepted transparently could be useful. This is espcially seen with public root CAs where certificate validity periods are getting shorter. I'm not suggesting changes to the text below. The above is just a consideration for any possible future documents that relate to TOFU. > The process of configuring a root CA certificate and a server name is > non-trivial and therefore automated methods of provisioning are > RECOMMENDED. For example, the eduroam federation [RFC7593] provides > a Configuration Assistant Tool (CAT) to automate the configuration > process. In the absence of a trusted root CA certificate (user > configured or system-wide), EAP peers MAY implement a trust on first > use (TOFU) mechanism where the peer trusts and stores the server > certificate during the first connection attempt. The EAP peer > ensures that the server presents the same stored certificate on > subsequent interactions. Use of a TOFU mechanism does not allow for > the server certificate to change without out-of-band validation of > the certificate and is therefore not suitable for many deployments > including ones where multiple EAP servers are deployed for high > availability. > > -- Heikki Vatiainen [email protected]
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
