Hi Michael,

Thanks for the question. I am objecting to the mandatory use of OCSP for TLS 
1.3 in EAP-TLS.
I am fine with having it optional.

Mbed TLS is used in implementations of EAP-TLS and we have received little 
interest in OCSP support. The interest is so low that the proposed code was 
never merged.

Companies seem to use an alternative approach instead, namely to change 
certificates via a device management solution. After all, you will have to 
offer a solution anyway. You cannot just reject access to your backend 
authentication infrastructure and do nothing.

Do other EAP methods rely on OCSP?

Ciao
Hannes

-----Original Message-----
From: Michael Richardson <mcr+i...@sandelman.ca>
Sent: Wednesday, October 21, 2020 6:46 PM
To: Hannes Tschofenig <hannes.tschofe...@arm.com>; emu@ietf.org
Subject: Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling


Hannes Tschofenig <hannes.tschofe...@arm.com> wrote:
    > this draft mandates OCSCP stapling (for use with TLS 1.3 in EAP-TLS)
    > and I believe this is a problem for implementations. This extra burden
    > is IMHO unjustified. For the type of deployments where EAP is used
    > there is no need for a mandatory certificate revocation checking with
    > OCSP.

Is it:
   1) there is no need for mandatory certificate revocation checking
   2) there is no need to make OCSP checking the mandatory method for 
certificate revocation checking

Are you objecting to:
   a) mandatory certificate revocation checking
   b) mandatory OCSP
   c) mandatory OCSP *stapling* when using OCSP

I think, if you the client (who has no Internet yet), is going to be able to do 
certificate revocation checking, then doing it via OCSP stapling is the right 
way to go.  It can't do ONLINE CSP, because it has no Internet.

    > Having it optional, like the use of many other TLS extensions, is fine
    > for me. FWIW even TLS 1.3, which is used in a more generic environment,
    > does not mandate the use of OCSP stapling.

    > This requirement will make the problem described in
    > draft-ietf-emu-eaptlscert worse. I am sure the authors are aware of
    > this fact since they are also co-authors of draft-ietf-emu-eaptlscert.

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide
IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Reply via email to