John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: > 1. Basically all TLS implementations support OSCP, and a majority > support OSCP stapling (Certificate Status Request). Mbed is an > exception rather than the rule.
Is this for server and client certificates, or just server certificates? It seems that getting the client certificate staple would be difficult for offline clients :-) > https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations Also, consider that an mbedtls EAP client could just not process the OCSP+Staple for now. That would be non-compliant, but it would work. (The opposite for the server is not the case) > 3. NIST SP 800-52 Rev 2 mandates that the server shall support use of > the Certificate Status Request extension (i.e. OCSP stapling). > - I do not think there is any wiggle room at all in the current version of the draft: > "When EAP-TLS is used with TLS 1.3, the peer and server MUST use Certificate Status Requests [RFC6066] > for the server's certificate chain" > Note that in the current draft it is unspecified how the server checks > the revocation status of the client's certificate: > "When EAP-TLS is used with TLS 1.3, the server MUST check the > revocation status of the certificates in the client's certificate chain." So, OCSP would comply work, but insisting on stapling would be dumb. > - My view is that OSCP stapling is a very good fit for EAP in > particular and is well-supported enough to be mandated. Mandating > stapling for EAP-TLS 1.3 from the start avoids having to rely on the > X.509 must-staple extension. Any implementation not supporting OCSP > stapling should implement it together with TLS 1.3. I do not think the > requirent should be softened, but if it is, my view is that is should > be softened as little as possible. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu