> On 30 Apr 2020, at 20:53, Michael Richardson <mcr+i...@sandelman.ca> wrote: > > Signed PGP part > > Eliot Lear <lear=40cisco....@dmarc.ietf.org> wrote: >> Here is a circumstance one could easily imagine, and in fact we >> attempted to address in draft-lear-eap-teap-brski: > >> Client requires a new certificate for some reason or another. Perhaps >> its is about to expire, or perhaps the signer has been compromised, or >> what have you. > > I think that's a really bad example. I can talk about the reasons, but I > think it would detract from your query.
Certificate do need to roll, and we should handle that case. One could use the ACME/LE model of just periodically sending a PKCS#10 request after 2/3rds of the expiry is past, but that doesn’t help us in the case where the signing cert needs to roll. > Maybe you can give me a different use case? A different use case might be (later on), “please send me a RATS attestation”. The key point is that the EAP server is a good control channel to gate clients in a lock step fashion, but the Request-Action TLV doesn’t quite get us there, as written, as I see it. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu