Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-06-08 Thread John Mattsson
com , EMU WG Subject: Re: [Emu] EAP-TLS 1.3 Section 2.2 text This version is fine. Just the term "EAP servers for the network" still looks confusing to me. Maybe we can use instead the more detailed explanation that you provided above. On Tue, May 25, 2021 at 7:45 AM Joseph Salowey ma

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-31 Thread Oleg Pekar
This version is fine. Just the term "EAP servers for the network" still looks confusing to me. Maybe we can use instead the more detailed explanation that you provided above. On Tue, May 25, 2021 at 7:45 AM Joseph Salowey wrote: > I made some changes to the pull request to address some of the

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-25 Thread Heikki Vatiainen
On Tue, 25 May 2021 at 07:45, Joseph Salowey wrote: > I made some changes to the pull request to address some of the comments > and make the text clearer: > One note about the TOFU mechanism: What we've seen is that certificate renewal also triggers server certificate re-trust

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-25 Thread Alan DeKok
I think that's good. > On May 25, 2021, at 12:45 AM, Joseph Salowey wrote: > > I made some changes to the pull request to address some of the comments and > make the text clearer: > > The EAP peer identity provided in the EAP-Response/Identity is not >authenticated by EAP-TLS.

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-24 Thread Joseph Salowey
I made some changes to the pull request to address some of the comments and make the text clearer: The EAP peer identity provided in the EAP-Response/Identity is not authenticated by EAP-TLS. Unauthenticated information MUST NOT be used for accounting purposes or to give authorization.

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-20 Thread Joseph Salowey
On Wed, May 19, 2021 at 5:58 AM Alan DeKok wrote: > On May 19, 2021, at 8:37 AM, Oleg Pekar wrote: > > After thinking a bit more about it - for the sake of the client > implementation clarity, would it be better if we provide the strict > algorithm for server identity check or maybe reference

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-19 Thread Alan DeKok
On May 19, 2021, at 8:37 AM, Oleg Pekar wrote: > After thinking a bit more about it - for the sake of the client > implementation clarity, would it be better if we provide the strict algorithm > for server identity check or maybe reference RFC 6125. Given the time frame and what we know, I

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-19 Thread Oleg Pekar
+Peter After thinking a bit more about it - for the sake of the client implementation clarity, would it be better if we provide the strict algorithm for server identity check or maybe reference RFC 6125. On Mon, May 17, 2021 at 11:58 PM Oleg Pekar wrote: > To section: 2.2. Identity

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-17 Thread Oleg Pekar
To section: 2.2. Identity Verification 1) If server name matching is not used, then peers may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network. -- comment: What is meant by "EAP server for the network"? 2) EAP peer implementations

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-17 Thread Russ Housley
Nit: RFC 5280 (see Section 4.2.1.6) talks about the subject alternative name extension, which as an ASN.1 definition for SubjectAltName. So, please do not refer to subjectAlternativeName. Russ > On May 15, 2021, at 8:21 PM, Joseph Salowey wrote: > > I proposed a PR#72 >

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-17 Thread Eliot Lear
Let this be the biggest argument on this list ;-) > On 17 May 2021, at 14:44, Alan DeKok wrote: > > > This is just a personal preference, but "MUST NOT" is clearer to me than > SHALL NOT. It's also more used, IIRC. signature.asc Description: Message signed with OpenPGP

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-17 Thread Alan DeKok
On May 15, 2021, at 8:21 PM, Joseph Salowey wrote: > I proposed a PR#72 based on this suggestion. The resulting text for the > section is below. Please review to see if it is OK. It looks good, subject to minor comments. >The EAP peer identity provided in the EAP-Response/Identity is

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-15 Thread Joseph Salowey
I proposed a PR#72 based on this suggestion. The resulting text for the section is below. Please review to see if it is OK. Thanks, Joe 2.2. Identity Verification This section updates Section 2.2 of [RFC5216]. The EAP peer

Re: [Emu] EAP-TLS 1.3 Section 2.2 text

2021-05-10 Thread Alan DeKok
On May 9, 2021, at 9:16 PM, Joseph Salowey wrote: > [Joe] This is a good question. There are multiple ways this could be > addressed. All servers should have one of their list of SANs that matches > the name used for EAP servers. Another option is for supplicants to allow > for the