Alan DeKok <ade...@gmail.com> wrote:
> The current draft is missing some points:
> * SNI for the supplicant to indicate which domain it would like to access
> * supplicant examination of the server certificate to see which domain it
accessed
This is actually a bit of a complex question, I think.
If the realm announced is eap.arpa, wouldn't the SNI have to have that?
Given that, and given that it's a domain that you can't get a certificate
for, it seems that the supplicant will have to accept whatever certificate is
returned on faith, until the device is online enough to do more.
This is not surprising in RFC8995(BRSKI), as it typically creates a
provisional TLS connection to the Registrar, which is *later* authorized by
an RFC8366 voucher.
Can we do this with supplicants?
I imagine so, but the write-up in the document could be challenging.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
