On Tue, Jul 6, 2021 at 10:08 PM Joseph Salowey <[email protected]> wrote:
> > > On Mon, Jun 28, 2021 at 8:11 AM Oleg Pekar <[email protected]> > wrote: > >> I still see unclearness in Section "2.2. Identity Verification", I'm >> trying to look from the implementer's perspective. >> >> 1) "Since EAP-TLS deployments may use more than one EAP >> server, each with a different certificate, EAP peer implementations >> SHOULD allow for the configuration of a unique trusted root (CA >> certificate) to authenticate the server certificate and one or more >> server names to match against the SubjectAltName (SAN) extension in >> the server certificate. To simplify name matching, an EAP-TLS >> deployment can assign a name to represent an authorized EAP server >> and EAP Server certificates can include this name in the list of SANs >> for each certificate that represents an EAP-TLS server." >> >> --- question: Should the server name match *any* of SAN extensions in the >> server certificate? If so - then suggest to say this explicitly. >> >> [Joe] DOes adding the following sentence help? "If any of the configured names match any of the names in the SAN extension then the name check passes." > > [Joe] yes the behavior is to match any. > > >> 2) "If server >> name matching is not used, then peers may end up trusting servers for >> EAP authentication that are not intended to be EAP servers for the >> network." >> >> --- question: It looks like a warning, right? Suggest to make it more >> explicit. Something like "If server name matching is not used, then it >> essentially decreases the level of security of peer's authentication since >> the peer may end up trusting servers for EAP authentication that are not >> intended to be EAP servers for the network." >> >> > [Joe] Thanks, I think that is better wording. > > >> Regards, >> Oleg >> >> On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <[email protected]> wrote: >> >>> This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13. >>> Please review the draft, focus on the changes since the last WGLC and >>> submit your comments to the list by July 8, 2021. >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/ >>> >>> There is also an htmlized version available at: >>> https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17 >>> >>> A diff from the previous WGLC version (-15): >>> >>> https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15 >>> >>> A diff from the previous version is available at: >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17 >>> >>> Thanks, >>> >>> Joe >>> _______________________________________________ >>> Emu mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/emu >>> >>
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
