Hi, When this was discussed in the group, it was decided to not only mandate revocation checking, but to also mandate OCSP stapling as is it often the only viable solution to let an offline peer check the revocation status of the server. We had a discussion on must-staple, and the decision was to mandate stapling in the draft instead of waiting for support of the X.509 must-staple extension. OCSP and OCSP stapling are quite well supported already and should be even more well-supported in a few years:
1. Basically all TLS implementations support OSCP, and a majority support OSCP stapling (Certificate Status Request). Mbed is an exception rather than the rule. https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations 2. All browsers (desktop and mobile) support OCSP stapling. https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/#:~:text=OCSP%20Must%2DStaple%20is%20a,Certificate%20Status%20Protocol%20(OCSP). 3. NIST SP 800-52 Rev 2 mandates that the server shall support use of the Certificate Status Request extension (i.e. OCSP stapling). - I do not think there is any wiggle room at all in the current version of the draft: "When EAP-TLS is used with TLS 1.3, the peer and server MUST use Certificate Status Requests [RFC6066] for the server's certificate chain" Note that in the current draft it is unspecified how the server checks the revocation status of the client's certificate: "When EAP-TLS is used with TLS 1.3, the server MUST check the revocation status of the certificates in the client's certificate chain." - The X.509 must-staple extension (https://tools.ietf.org/html/draft-hallambaker-muststaple-00) is not relevant for server certificates in the current EAP-TLS 1.3 draft as stapling is already a must. OSCP stapling is not very useful for client certs. I do not know if the X.509 must-staple extension is well supported or not. It could become relevant for server certs if the requirements are softened. - My view is that OSCP stapling is a very good fit for EAP in particular and is well-supported enough to be mandated. Mandating stapling for EAP-TLS 1.3 from the start avoids having to rely on the X.509 must-staple extension. Any implementation not supporting OCSP stapling should implement it together with TLS 1.3. I do not think the requirent should be softened, but if it is, my view is that is should be softened as little as possible. Cheers, John _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
