On Fri, Oct 30, 2020 at 4:44 AM Michael Richardson <mcr+i...@sandelman.ca> wrote:
> > Joseph Salowey <j...@salowey.net> wrote: > >> I suggest: > >> > >> “EAP-TLS servers supporting TLS 1.3 that use OCSP to do certificate > >> recovation checks, MUST implement Certificate Status Requests > using OCSP > >> stapling as specified in Section 4.4.2.1 of [RFC8446]. > > > [Joe] Thanks Michael, I think your suggestion is a better way to > phrase it > > Just so that we are clear: this mandates OCSP+stapling for systems that do > revocation checks. > > Systems that don't do revocation checks (current mbedtls), therefore don't > need to do OCSP or stapling. > [Joe] That's not how I read your text. I think your text mandates OCSP+stapling for systems that use OCSP for revocation. TLS 1.3 RFC 8446 does not mandate a particular revocation mechanism either, as revocation is part of PKIX. Also to be clear you text does not mandate that either servers or clients support OCSP Stapling. I think it would be appropriate to modify your text to replace "use" with support. "EAP-TLS servers supporting TLS 1.3 that support OCSP to do certificate revocation checks, MUST implement Certificate Status Requests using OCSP stapling as specified in Section 4.4.2.1 of [RFC8446]." > -- > Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
