On Thu, Oct 22, 2020 at 8:08 AM Eliot Lear <lear=40cisco....@dmarc.ietf.org> wrote:
> +1. How does anyone even do OCSP without having first gotten onto the > network? > > [Joe] THat is what OCSP stapling is supposed to solve since the OCSP messages are sent in the TLS handshake. I believe there are some EAP-TLS implementations that support OCSP, but I am not sure if it is actually deployed. > Eliot > > On 21 Oct 2020, at 11:02, Hannes Tschofenig <hannes.tschofe...@arm.com> > wrote: > > Hi all, > > this draft mandates OCSCP stapling (for use with TLS 1.3 in EAP-TLS) and I > believe this is a problem for implementations. This extra burden is IMHO > unjustified. For the type of deployments where EAP is used there is no need > for a mandatory certificate revocation checking with OCSP. > > Having it optional, like the use of many other TLS extensions, is fine for > me. FWIW even TLS 1.3, which is used in a more generic environment, does > not mandate the use of OCSP stapling. > > This requirement will make the problem described in > draft-ietf-emu-eaptlscert worse. I am sure the authors are aware of this > fact since they are also co-authors of draft-ietf-emu-eaptlscert. > > Ciao > Hannes > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu