Hi Joe, I do not understand certificate revocation checking is a topic specific to the use of TLS 1.3 in EAP-TLS.
If this topic is important to the group then why isn’t this a generic recommendations for all EAP methods that use public key based authentication? Wouldn’t this be a topic to address in <draft-ietf-emu-eaptlscert>? IMHO this would make more sense given that <draft-ietf-emu-eaptlscert> talks about large certificates and long certificate chains and any proposal to make those even larger should be evaluated in this context. Ciao Hannes From: Joseph Salowey <j...@salowey.net> Sent: Thursday, October 22, 2020 11:12 PM To: Eliot Lear <lear=40cisco....@dmarc.ietf.org> Cc: Hannes Tschofenig <hannes.tschofe...@arm.com>; emu@ietf.org Subject: Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling On Thu, Oct 22, 2020 at 8:08 AM Eliot Lear <lear=40cisco....@dmarc.ietf.org<mailto:40cisco....@dmarc.ietf.org>> wrote: +1. How does anyone even do OCSP without having first gotten onto the network? [Joe] THat is what OCSP stapling is supposed to solve since the OCSP messages are sent in the TLS handshake. I believe there are some EAP-TLS implementations that support OCSP, but I am not sure if it is actually deployed. Eliot On 21 Oct 2020, at 11:02, Hannes Tschofenig <hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>> wrote: Hi all, this draft mandates OCSCP stapling (for use with TLS 1.3 in EAP-TLS) and I believe this is a problem for implementations. This extra burden is IMHO unjustified. For the type of deployments where EAP is used there is no need for a mandatory certificate revocation checking with OCSP. Having it optional, like the use of many other TLS extensions, is fine for me. FWIW even TLS 1.3, which is used in a more generic environment, does not mandate the use of OCSP stapling. This requirement will make the problem described in draft-ietf-emu-eaptlscert worse. I am sure the authors are aware of this fact since they are also co-authors of draft-ietf-emu-eaptlscert. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
