Currently EAP-TLS does not require OCSP. Ryan has requested that we make support for the OCSP TLS (RFC4366 - section 3.6) extension a SHOULD implement in EAP-TLS.
The benefit of this is that it allows the peer to check for certificate revocation before it has access to the network. Without this if the peer does not have an up to date CRL it must defer revocation checking until it has network access and can receive an up to date CRL. The peer must limit its trust of the security of its network connection until it can access the CRL. The downside of this is that it places a new requirement on EAP-TLS implementations. Even though it is a SHOULD and not a MUST it is important to realize that a SHOULD is a requirement to implement unless there are circumstances which make this requirement not apply to a particular situation. I would like to here views from the working group on this topic. Joe _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
