Hi Oleg, Joe, all, On 7/8/21 8:06 AM, Joseph Salowey wrote:
On Tue, Jul 6, 2021 at 10:08 PM Joseph Salowey <j...@salowey.net<mailto:j...@salowey.net>> wrote: On Mon, Jun 28, 2021 at 8:11 AM Oleg Pekar <oleg.pekar.2...@gmail.com<mailto:oleg.pekar.2...@gmail.com>> wrote: I still see unclearness in Section "2.2. Identity Verification", I'm trying to look from the implementer's perspective. 1) "Since EAP-TLS deployments may use more than one EAP server, each with a different certificate, EAP peer implementations SHOULD allow for the configuration of a unique trusted root (CA certificate) to authenticate the server certificate and one or more server names to match against the SubjectAltName (SAN) extension in the server certificate. To simplify name matching, an EAP-TLS deployment can assign a name to represent an authorized EAP server and EAP Server certificates can include this name in the list of SANs for each certificate that represents an EAP-TLS server." --- question: Should the server name match *any* of SAN extensions in the server certificate? If so - then suggest to say this explicitly. [Joe] DOes adding the following sentence help? "If any of the configured names match any of the names in the SAN extension then the name check passes." This makes sense. I will update the draft in github. [Joe] yes the behavior is to match any. 2) "If server name matching is not used, then peers may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network." --- question: It looks like a warning, right? Suggest to make it more explicit. Something like "If server name matching is not used, then it essentially decreases the level of security of peer's authentication since the peer may end up trusting servers for EAP authentication that are not intended to be EAP servers for the network." [Joe] Thanks, I think that is better wording. I find the text a little hard to parse. I am not sure how comfortable we are with defining "levels" of security. Also, "peer's authentication" might confuse the reader since we are talking about server name matching. I don't really have a better suggestion. Perhaps something along the lines: .... it essentially degrades the peer's confidence that the EAP server with which it is interacting is authoritative for the given network....?? --Mohit Regards, Oleg On Mon, Jun 28, 2021 at 2:26 AM Joseph Salowey <j...@salowey.net<mailto:j...@salowey.net>> wrote: This is the working group last-call (WGLC) for draft-ietf-emu-eap-tls13. Please review the draft, focus on the changes since the last WGLC and submit your comments to the list by July 8, 2021. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-emu-eap-tls13/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-emu-eap-tls13-17 A diff from the previous WGLC version (-15): https://www.ietf.org//rfcdiff?url1=draft-ietf-emu-eap-tls13-17&url2=draft-ietf-emu-eap-tls13-15 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eap-tls13-17 Thanks, Joe _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
