I still see unclearness in Section "2.2. Identity Verification", I'm trying to look from the implementer's perspective.
1) "Since EAP-TLS deployments may use more than one EAP server, each with a different certificate, EAP peer implementations SHOULD allow for the configuration of a unique trusted root (CA certificate) to authenticate the server certificate and one or more server names to match against the SubjectAltName (SAN) extension in the server certificate. To simplify name matching, an EAP-TLS deployment can assign a name to represent an authorized EAP server and EAP Server certificates can include this name in the list of SANs for each certificate that represents an EAP-TLS server." --- question: Should the server name match *any* of SAN extensions in the server certificate? If so - then suggest to say this explicitly. 2) "If server name matching is not used, then peers may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network." --- question: It looks like a warning, right? Suggest to make it more explicit. Something like "If server name matching is not used, then it essentially decreases the level of security of peer's authentication since the peer may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network." Regards, Oleg On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <j...@salowey.net> wrote: > This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13. > Please review the draft, focus on the changes since the last WGLC and > submit your comments to the list by July 8, 2021. > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17 > > A diff from the previous WGLC version (-15): > > https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17 > > Thanks, > > Joe > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
