On Mon, Jun 28, 2021 at 8:11 AM Oleg Pekar <oleg.pekar.2...@gmail.com> wrote:
> I still see unclearness in Section "2.2. Identity Verification", I'm > trying to look from the implementer's perspective. > > 1) "Since EAP-TLS deployments may use more than one EAP > server, each with a different certificate, EAP peer implementations > SHOULD allow for the configuration of a unique trusted root (CA > certificate) to authenticate the server certificate and one or more > server names to match against the SubjectAltName (SAN) extension in > the server certificate. To simplify name matching, an EAP-TLS > deployment can assign a name to represent an authorized EAP server > and EAP Server certificates can include this name in the list of SANs > for each certificate that represents an EAP-TLS server." > > --- question: Should the server name match *any* of SAN extensions in the > server certificate? If so - then suggest to say this explicitly. > > [Joe] yes the behavior is to match any. > 2) "If server > name matching is not used, then peers may end up trusting servers for > EAP authentication that are not intended to be EAP servers for the > network." > > --- question: It looks like a warning, right? Suggest to make it more > explicit. Something like "If server name matching is not used, then it > essentially decreases the level of security of peer's authentication since > the peer may end up trusting servers for EAP authentication that are not > intended to be EAP servers for the network." > > [Joe] Thanks, I think that is better wording. > Regards, > Oleg > > On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <j...@salowey.net> wrote: > >> This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13. >> Please review the draft, focus on the changes since the last WGLC and >> submit your comments to the list by July 8, 2021. >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/ >> >> There is also an htmlized version available at: >> https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17 >> >> A diff from the previous WGLC version (-15): >> >> https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17 >> >> Thanks, >> >> Joe >> _______________________________________________ >> Emu mailing list >> Emu@ietf.org >> https://www.ietf.org/mailman/listinfo/emu >> >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
