Section 4.2.9 reads:
The Request-Action TLV MAY be sent by both the peer and the server in response to a successful or failed Result TLV.
I suggest that this text be changed to allow a Request-Action TLV to be sent at any time. The reasoning for this is that even with a successful TLS exchange, the *server* may decide that the client needs a new certificate. That may be due to many factors, including trust anchor changes or some sort of compromise condition.
Since nobody previously implemented the PKCS#10/PKCS#7 TLVs, this shouldn't cause interoperability problems with earlier configs.
Eliot
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
