John Mattsson <[email protected]> wrote: > 1. Basically all TLS implementations support OSCP, and a majority > support OSCP stapling (Certificate Status Request). Mbed is an > exception rather than the rule.
Is this for server and client certificates, or just server certificates?
It seems that getting the client certificate staple would be difficult for
offline clients :-)
> https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
Also, consider that an mbedtls EAP client could just not process the OCSP+Staple
for now. That would be non-compliant, but it would work.
(The opposite for the server is not the case)
> 3. NIST SP 800-52 Rev 2 mandates that the server shall support use of
> the Certificate Status Request extension (i.e. OCSP stapling).
> - I do not think there is any wiggle room at all in the current version
of the draft:
> "When EAP-TLS is used with TLS 1.3, the peer and server MUST use
Certificate Status Requests [RFC6066]
> for the server's certificate chain"
> Note that in the current draft it is unspecified how the server checks
> the revocation status of the client's certificate:
> "When EAP-TLS is used with TLS 1.3, the server MUST check the
> revocation status of the certificates in the client's certificate chain."
So, OCSP would comply work, but insisting on stapling would be dumb.
> - My view is that OSCP stapling is a very good fit for EAP in
> particular and is well-supported enough to be mandated. Mandating
> stapling for EAP-TLS 1.3 from the start avoids having to rely on the
> X.509 must-staple extension. Any implementation not supporting OCSP
> stapling should implement it together with TLS 1.3. I do not think the
> requirent should be softened, but if it is, my view is that is should
> be softened as little as possible.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
