Mohit Sethi M <mohit.m.sethi=40ericsson....@dmarc.ietf.org> wrote:
> So we were already saying "SHOULD" for OCSP in 2008 when RFC 5216 was
> published. And now 12/13 years later, some people in the working group
> are suggesting to make the security stance weaker. For what? Some
> speculative insecure future deployments? Please note that EAP-TLS is
> currently implemented in billions of devices and used in many high
> security deployments.
I don't think that people were saying it should be weaker than SHOULD.
I also think that there is a distinction between MTI and mandatory to use
which has gotten lost.
And I think that there is also a significant distinction between a server
supporting answering OCSP staples, vs a client being forced to ask for it.
If the CA doesn't put any OCSP data into a certificate, then it can't be
used. That's a local decision.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
