Hi Joe,

I do not understand certificate revocation checking is a topic specific to the 
use of TLS 1.3 in EAP-TLS.

If this topic is important to the group then why isn’t this a generic 
recommendations for all EAP methods that use public key based authentication?

Wouldn’t this be a topic to address in <draft-ietf-emu-eaptlscert>? IMHO this 
would make more sense given that <draft-ietf-emu-eaptlscert> talks about large 
certificates and long certificate chains and any proposal to make those even 
larger should be evaluated in this context.

Ciao
Hannes

From: Joseph Salowey <j...@salowey.net>
Sent: Thursday, October 22, 2020 11:12 PM
To: Eliot Lear <lear=40cisco....@dmarc.ietf.org>
Cc: Hannes Tschofenig <hannes.tschofe...@arm.com>; emu@ietf.org
Subject: Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling



On Thu, Oct 22, 2020 at 8:08 AM Eliot Lear 
<lear=40cisco....@dmarc.ietf.org<mailto:40cisco....@dmarc.ietf.org>> wrote:
+1.  How does anyone even do OCSP without having first gotten onto the network?


[Joe] THat is what OCSP stapling is supposed to solve since the OCSP messages 
are sent in the TLS handshake.   I believe there are some EAP-TLS 
implementations that support OCSP, but I am not sure if it is actually deployed.

Eliot

On 21 Oct 2020, at 11:02, Hannes Tschofenig 
<hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>> wrote:

Hi all,

this draft mandates OCSCP stapling (for use with TLS 1.3 in EAP-TLS) and I 
believe this is a problem for implementations. This extra burden is IMHO 
unjustified. For the type of deployments where EAP is used there is no need for 
a mandatory certificate revocation checking with OCSP.

Having it optional, like the use of many other TLS extensions, is fine for me. 
FWIW even TLS 1.3, which is used in a more generic environment, does not 
mandate the use of OCSP stapling.

This requirement will make the problem described in draft-ietf-emu-eaptlscert 
worse. I am sure the authors are aware of this fact since they are also 
co-authors of draft-ietf-emu-eaptlscert.

Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you. _______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu

_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu
IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Reply via email to