Hi Joe, Thanks for the quick response.
[Joe] If the server is offering an expired or revoked certificate then that needs to be remedied on the server. Where do you believe the value of OCSP comes into the picture for this EAP-TLS use case and what actions need to be taken when a notification of a revoked/expired certificate shows up? [Joe] the document under consideration is EAP-TLS 1.3. In my opinion any document that deals with certificates ought to have some discussion on revocation. In particular, EAP is deployed into an environment where some revocation mechanisms may not work as expected because there is no network access available to do out of band checks. draft-ietf-emu-eap-tls13 also makes changes to TLS 1.2 in EAP-TLS. It updates the content of the original RFC. This was surprising to me as well. In that spirit it wouldn’t be unnatural to also require OCSP there and to apply that to all EAP methods that use TLS. Note that I am not recommending it but it shows the inconsistency in the approach being taken today. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu