From 451ae3ba84b2b2934bc55446bc128bfba7cf7847 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Thu, 30 Aug 2018 14:39:00 -0500
Subject: [PATCH] TODO: Add certificate element matching task

---
 TODO | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/TODO b/TODO
index 4c25fe5a..115d9076 100644
--- a/TODO
+++ b/TODO
@@ -354,3 +354,17 @@ Wireless daemon
 
   Priority: Medium
   Complexity: C2
+
+- Implement EAP Authenticator certificate element matching
+
+  With TLS based EAP methods it is possible for certain Man-In-The-Middle
+  attacks to be performed by having a trusted CA issue a certificate for an
+  unrelated domain and then have an adversary utilize that certificate to spoof
+  trusted Access Points for a certain SSID.  To prevent this it is possible
+  for clients to further limit what certificates they accept by utilizing
+  dNSName sub-element of SubjectAltName in the X.509 certificate (or
+  alternatively the SubjectName CN) of the Authenticator.  This matching can
+  be done by suffix, an exact match, or perhaps even glob matching.
+
+  Priority: Medium
+  Complexity: C8