Hannes Tschofenig <hannes.tschofe...@arm.com> wrote:
> this draft mandates OCSCP stapling (for use with TLS 1.3 in EAP-TLS)
> and I believe this is a problem for implementations. This extra burden
> is IMHO unjustified. For the type of deployments where EAP is used
> there is no need for a mandatory certificate revocation checking with
> OCSP.
Is it:
1) there is no need for mandatory certificate revocation checking
2) there is no need to make OCSP checking the mandatory method for
certificate revocation checking
Are you objecting to:
a) mandatory certificate revocation checking
b) mandatory OCSP
c) mandatory OCSP *stapling* when using OCSP
I think, if you the client (who has no Internet yet), is going to be able to
do certificate revocation checking, then doing it via OCSP stapling is the
right way to go. It can't do ONLINE CSP, because it has no Internet.
> Having it optional, like the use of many other TLS extensions, is fine
> for me. FWIW even TLS 1.3, which is used in a more generic environment,
> does not mandate the use of OCSP stapling.
> This requirement will make the problem described in
> draft-ietf-emu-eaptlscert worse. I am sure the authors are aware of
> this fact since they are also co-authors of draft-ietf-emu-eaptlscert.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
