Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-11 Thread Jan-Frederik Rieckers
On 12.11.19 00:15, Owen Friel (ofriel) wrote: > One deployment consideration is if an operator wants to use a public PKI > (e.g. Lets Encrypt) for their AAA certs, then it could be years, if ever, > before these extensions could be supported (as Alan alludes to), so it would > also be good to

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-11 Thread Alan DeKok
On Nov 11, 2019, at 6:15 PM, Owen Friel (ofriel) wrote: > > This is also related to ongoing anima discussions about RFC 8366, and how it > can bootstrap trust when the pinned domain cert is a public PKI CA, and not a > private CA, and hence additional domain (or realm or FQDN) info is also >

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

2019-11-11 Thread Joseph Salowey
On Mon, Nov 11, 2019 at 11:41 AM Alan DeKok wrote: > On Nov 11, 2019, at 12:52 PM, Owen Friel (ofriel) > wrote: > > > > [ofriel] Is the primary reason they MUST NOT be copied because of > encoding differences? UTF-8 vs. TLS raw bytes? > > Yes. EAP Identities are UTF-8 encoded strings.

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

2019-11-11 Thread Alan DeKok
On Nov 11, 2019, at 12:52 PM, Owen Friel (ofriel) wrote: > > [ofriel] Is the primary reason they MUST NOT be copied because of encoding > differences? UTF-8 vs. TLS raw bytes? Yes. EAP Identities are UTF-8 encoded strings. Non-compliant identities will likely result in the packet being

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

2019-11-11 Thread Owen Friel (ofriel)
> -Original Message- > From: Emu On Behalf Of Alan DeKok > Sent: 08 November 2019 12:43 > To: Joseph Salowey > Cc: EMU WG > Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13 > > On Nov 7, 2019, at 11:08 PM, Joseph Salowey wrote: > > [Joe] How about > > "If an

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

2019-11-11 Thread Owen Friel (ofriel)
> -Original Message- > From: Alan DeKok > Sent: 07 November 2019 17:48 > To: Owen Friel (ofriel) > Cc: Joseph Salowey ; draft-ietf-emu-eap-tl...@ietf.org; > John Mattsson ; Michael > Richardson ; EMU WG > Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13 > > On Nov 7,

Re: [Emu] EAP questions (RE: POST WGLC Comments draft-ietf-emu-eap-tls13)

2019-11-11 Thread Owen Friel (ofriel)
> -Original Message- > From: Alan DeKok > Sent: 07 November 2019 17:43 > To: Owen Friel (ofriel) > Cc: Joseph Salowey ; draft-ietf-emu-eap-tl...@ietf.org; > EMU WG ; John Mattsson > ; Michael Richardson > > Subject: Re: EAP questions (RE: [Emu] POST WGLC Comments draft-ietf-emu- >

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

2019-11-11 Thread Jan-Frederik Rieckers
Hi, Thank you for your feedback. I was unaware of RFC 7585. I had a brief look on it and it seems that the certificate part could be used for the goal I try to achieve. I'm not quite sure if the naiRealm should be used for validation on supplicants for EAP-TLS. I would assume it would not be a