On Aug 3, 2019, at 5:53 PM, Jim Schaad <[email protected]> wrote: > > In section 5.7 - I am not sure why one could not re-check for revocation > when doing a resumption, I would expect that this is only server side that > would do it but the current paragraph two outlaws it.
I think it's best to *always* apply authorization policies. The alternative is to allow the server to *not* check authorization policies during resumption. Which then means that the client is in charge of authorization, not the server. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
