Re: [Emu] draft-ietf-emu-eap-tls13-11: OCSP Stapling

Mon, 26 Oct 2020 07:06:46 -0700 

John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> wrote:
    > 1. Basically all TLS implementations support OSCP, and a majority
    > support OSCP stapling (Certificate Status Request). Mbed is an
    > exception rather than the rule.

Is this for server and client certificates, or just server certificates?
It seems that getting the client certificate staple would be difficult for
offline clients :-)

    > https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations

Also, consider that an mbedtls EAP client could just not process the OCSP+Staple
for now.  That would be non-compliant, but it would work.
(The opposite for the server is not the case)

    > 3. NIST SP 800-52 Rev 2 mandates that the server shall support use of
    > the Certificate Status Request extension (i.e. OCSP stapling).

    > - I do not think there is any wiggle room at all in the current version 
of the draft:

    > "When EAP-TLS is used with TLS 1.3, the peer and server MUST use 
Certificate Status Requests [RFC6066]
    > for the server's certificate chain"

    > Note that in the current draft it is unspecified how the server checks
    > the revocation status of the client's certificate:

    > "When EAP-TLS is used with TLS 1.3, the server MUST check the
    > revocation status of the certificates in the client's certificate chain."

So, OCSP would comply work, but insisting on stapling would be dumb.

    > - My view is that OSCP stapling is a very good fit for EAP in
    > particular and is well-supported enough to be mandated. Mandating
    > stapling for EAP-TLS 1.3 from the start avoids having to rely on the
    > X.509 must-staple extension. Any implementation not supporting OCSP
    > stapling should implement it together with TLS 1.3. I do not think the
    > requirent should be softened, but if it is, my view is that is should
    > be softened as little as possible.

--
Michael Richardson <mcr+i...@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Reply via email to