Thanks, John. Please see below: > On 26 Oct 2020, at 13:58, John Mattsson > <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: > > Hi Eliot, > > The EAP server is expected to frequently request a OCSP response from the > OCSP responder (a server typically run by the certificate issuer). The OCSP > response is then added to the Servers Certificate message as long as it is > valid. Before the OCSP response is close to expiring, the EAP server requests > a new OCSP response from the OCSP responder. >
Right. What this is saying is that a local deployment MUST run an OCSP responder. If that OCSP responder is unavailable, then what? Now imagine we are discussing critical infrastructure where the responder is not in the same room, and there are network connectivity problems. The device joining the network needs local access and that is it. Does that mean it should not use EAP-TLS? Or are we saying that they MUST use naked public keys? > I assume you mean the client is offline? If use cases where none of the > entities can contact the OCSP responder is in scope, OCSP stapling does not > work. Right. So then what? Fail? For many devices the manufacturers will be unable to predict whether a device will or will not have direct access to anything. It specific to deployment circumstances. Also, running an OCSP server is something that will be very new for many enterprises. Eliot _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
