-----Original Message-----
From: Alan DeKok <al...@deployingradius.com>
Sent: 16 November 2019 14:29
To: Owen Friel (ofriel) <ofr...@cisco.com>
Cc: Jan-Frederik Rieckers <rieck...@uni-bremen.de>; emu@ietf.org
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
On Nov 16, 2019, at 7:59 AM, Owen Friel (ofriel) <ofr...@cisco.com> wrote:
> [ofriel] this seems like something reasonable, but that's more a general
> deployment recommendation: ensure that the identity/realm of EAP servers is
> different from the identity/domain of webservers within an org. Therefore in
> the absence of an NAIRealm or id-kp-eapOverLAN extension in a cert, clients
> can still distinguish between the two. Users point their Browser clients
> point to 'example.org' and wi-fi supplications are configured to look for
> 'radius.exampe.org'.
>
> The supplicant logic for verifying EAP server identity (assuming it already
> knows the root CA and a realm/domain string) could be check for NAIRealm
> first, then check for id-kp-eapOverLAN, then check for a dnsName.
There is currently no document which offers guidance for implementors.
There's just common practice, and various standards. Which are unfortunately
different. Even worse, it's not clear how these practices interact, or how we
should migrate from existing practice to using the standards.
I think it would be useful for this WG to have a document which gives these
guidelines.
[ofriel] Happy to help put a strawman for that together, along with some
recommendations for the other PSK ambiguity.
Aln DeKok.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
