RE: [Emu] WGLC comments for draft-simon-emu-rfc2716bis
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Emu] WGLC comments for draft-simon-emu-rfc2716bis
> How about rephrasing the text to something like this?
>
> Since the identity presented in the Identity Response need not be
> related to the identity presented in the peer certificate, EAP-TLS
> implementations SHOULD NOT require that they be identical.
> However, if they are not identical, the identity presented in the
> Identity Response is unauthenticated information, and SHOULD NOT be
> used for access control or accounting purposes.
Looks good.
> I'm aware that some implementations do this, but the document should
> explain the security implications better. If you compare the name in
> the certificate with the expected server name, an attacker fool you if
> he breaks into that server and steals its private key. If you don't
> check the name, the attacker can steal a private key corresponding to
> any certificate issued by your trusted CA (which in case of large CA
> could be millions of potential points of failure).
OK.
_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
