[Emu] Revised resolution for Erratum 5128

2020-10-29 Thread Joseph Salowey
I think this one is also done. PR is here https://github.com/emu-wg/teap-errata/pull/4. Please comment on this thread or PR if you think it still needs work: Errata 5128: https://www.rfc-editor.org/errata/eid5128 Proposed State: Verified Revision: Section 5.2. says S-IMCK[0] = session_key_see

[Emu] Revised resolution for TEAP erratum 5127

2020-10-29 Thread Joseph Salowey
I think this erratum is done. I've also started a GH repo to track the changes in the document which might help show them in context a bit better. The PR for this issue is https://github.com/emu-wg/teap-errata/pull/2. Please post here or comment on the PR if you think this needs any additional work

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Joseph Salowey
On Thu, Oct 29, 2020 at 3:12 PM Michael Richardson wrote: > > Joseph Salowey wrote: > > 2. Require Servers to Implement and Recommended to Use OCSP with text > > similar to the following: > > I don't think that this text is quite right. > > I note that "RECOMMENDED" is a synonym for SHOU

Re: [Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06

2020-10-29 Thread Benjamin Kaduk
Hi Stefan, Thanks for the review; it raises some good topics. Replying on a couple points... On Thu, Oct 29, 2020 at 04:13:02PM -0700, Stefan Santesson via Datatracker wrote: > Reviewer: Stefan Santesson > Review result: Has Nits > > The document in general is good and well written. > > Some n

[Emu] Secdir last call review of draft-ietf-emu-eaptlscert-06

2020-10-29 Thread Stefan Santesson via Datatracker
Reviewer: Stefan Santesson Review result: Has Nits The document in general is good and well written. Some nits needs attention before publication as the general review also points out. Ex in the abstract "This document looks at the this problem" Some abbreviations needs to be spelled out at firs

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Michael Richardson
Joseph Salowey wrote: > 2. Require Servers to Implement and Recommended to Use OCSP with text > similar to the following: I don't think that this text is quite right. I note that "RECOMMENDED" is a synonym for SHOULD, and usually we ask documents to explain what a reasonable exception m

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Joseph Salowey
On Thu, Oct 29, 2020 at 10:30 AM Max Pala wrote: > Hi Eliot, all, > > > > In our industry we solved this issue by *requiring OCSP stapling if and > only if the certificate being validated carries the OCSP URI in the > certificate*. > > > > This allows us to live in a mixed environment where suppo

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Tim Cappalli
+1 From: Emu Date: Thursday, October 29, 2020 at 14:10 To: Eliot Lear Cc: Max Pala , EMU WG Subject: Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11 +1 > On Oct 29, 2020, at 1:37 PM, Eliot Lear > wrote: > > Hi Max > >> On 29 Oct 2020, at 18:30, Max Pala wrote: >> >>

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Alan DeKok
+1 > On Oct 29, 2020, at 1:37 PM, Eliot Lear > wrote: > > Hi Max > >> On 29 Oct 2020, at 18:30, Max Pala wrote: >> >> Hi Eliot, all, >> >> In our industry we solved this issue by requiring OCSP stapling if and only >> if the certificate being validated carries the OCSP URI in the certif

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Eliot Lear
Hi Max > On 29 Oct 2020, at 18:30, Max Pala > wrote: > > Hi Eliot, all, > > In our industry we solved this issue by requiring OCSP stapling if and only > if the certificate being validated carries the OCSP URI in the certificate. Perfectly reasonable. > > This

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Max Pala
Hi Eliot, all, In our industry we solved this issue by requiring OCSP stapling if and only if the certificate being validated carries the OCSP URI in the certificate. This allows us to live in a mixed environment where support for OCSP might have been introduced later on and allows the C

Re: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Eliot Lear
Hi Joe, My suggestion is that we add some discussion about what to do in the case of no connectivity to the CA. This will be a not-uncommon occurrence, IMHO, in industrial use cases. Eliot > On 29 Oct 2020, at 17:23, Joseph Salowey > wrote: > > An issue was raised i

[Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

2020-10-29 Thread Joseph Salowey
An issue was raised in a review of draft-ietf-emu-eap-tls13-11 on the mandatory requirement for OCSP stapling [1]. The document makes the use of OCSP mandatory in section 5.4 [2]. Several folks have pointed out that this may not be feasible in all deployments. This is a quick consensus call for