Dear workgroup, Please help me to clarify the next question. RFC 9190 "EAP-TLS 1.3", Section "5.4. Certificate Revocation" says: "EAP-TLS servers supporting TLS 1.3 MUST implement Certificate Status Requests (OCSP stapling) as specified in [RFC6066] and Section 4.4.2.1 of [RFC8446]"
Wording "MUST Implement" doesn't explicitly specify whether an EAP-TLS server must reply to a particular peer's OCSP stapling request or not. RFC 6066 "TLS Extensions Definition", Section "8. Certificate Status Request" says: "Note that a server MAY also choose not to send a "CertificateStatus" message, even if has received a "status_request" extension in the client hello message and has sent a "status_request" extension in the server hello message." These two references create ambiguity, as I see it - is it mandatory for EAP-TLS server to respond to OCSP stapling request? If not, per RFC 6066, then "MUST Implement" of RFC 9190 has no effect since it's possible to implement an EAP-TLS 1.3 server that never responds to OCSP stapling request and it is equal to not implementing OCSP stapling at all. This is what I would be happy to clarify. Note: there's at least one scenario when an EAP-TLS server has a good motivation not to send CertificateStatus message - when the peer send the list of trusted OCSP Responders where the server's OCSP Responder is not mentioned. Thanks Oleg
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu