On Mon, Aug 14, 2017 at 08:03:08PM +0200, Hubert Kario wrote: > Current (21) draft references RFC 6961 in multiple places, in particular > * Section 4.4.2: > Valid extensions > include OCSP Status extensions ([RFC6066] and [RFC6961]) > * and therein implicitly: > If > an extension applies to the entire chain, it SHOULD be included in > the first CertificateEntry. > > at the same time section B.3.1 ExtensionType and table from Section 4.2 do > not > list status_request_v2 as a valid extension. > > > If the intention was to deprecate status_request_v2, I think the references > to > RFC 6961 should be a bit more cautious. If it wasn't (as old messages sent to > the list would indicate), quite a bit of text is missing.
The introduction suggests that TLS 1.3 intends to deprecate status_request_v2. And indeed, if status_request_v2 was to be supported, extra text would be required. Like how to map the list of certificates inside the message to certificates sent. I think that clause about extensions to whole chain are more for things like server_certificate_type. Furthermore, in WebPKI, CA certificate OCSP is at best useless due to the very long response lifetimes. And getting the liftimes down to reasonable range is not realistic. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
