TLS can present an OCSP response for the end certificate, if you have TA->CA1->EE then you can't get it for the CA1 certificate.
Jim > -----Original Message----- > From: Sam Hartman [mailto:hartmans-i...@mit.edu] > Sent: Saturday, February 18, 2012 11:28 AM > To: Jim Schaad > Cc: 'Sam Hartman'; emu@ietf.org > Subject: Re: [Emu] draft-ietf-emu-eap-tunnel-method 7.6: inadequate for > interoperable implementation > > >>>>> "Jim" == Jim Schaad <i...@augustcellars.com> writes: > > Jim> There is one other item that is also worrying me about this. > Jim> In doing the check of certificates, one should be doing > Jim> revocation checking. However if one is trying to get network > Jim> access, one cannot independently download the revocation > Jim> information until access is granted, and one cannot get access > Jim> granted until one has finished the EAP negotiation. > > > TLS these days has the ability to present an OCSP response inline, right? > Wouldn't that be a eaiser-to-implement strategy? _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu