IETF Logo Mail Archive

[Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11

Joseph Salowey <joe@salowey.net> Thu, 29 October 2020 16:23 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EB053A07E6 for <emu@ietfa.amsl.com>; Thu, 29 Oct 2020 09:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ayv0Pm0ggVCp for <emu@ietfa.amsl.com>; Thu, 29 Oct 2020 09:23:52 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A91D53A00C9 for <emu@ietf.org>; Thu, 29 Oct 2020 09:23:52 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id s39so2202048qtb.2 for <emu@ietf.org>; Thu, 29 Oct 2020 09:23:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=kFbjBr7UMvyzvcYieXJBZG/WU/gEj2TOCdbQUeQfJWg=; b=u5/pb6qHnXXmbjju1zlFWdNPHTV0ZRRk9H66zAk5IKqjhho5RVmyNn/i9qzW2mXiGd UGHbOLuI6pfaFS4Z417JCkE5Dchy4YnEN7b/J3OkCCMR05dQ7NaUv1t12POpRjEKRwUR U3zcaZYHTMXbBB/GmpuvaT7YSfaVni6bKkTYjGk3h5dnhVYxrUnDuwRDDVwlW5Qlqq4U D2S78jg0ce69pQGDj/lIbLnkdP5SqQNE0bQUFrMrjW4f4WkxUaWBfXPz4u4X9Oywooyp aqqImqiRDrFiHR06GE9qTqGL3Op2zgUpe9oVMs9i+VvkcW7hpJFT3Sy61jjR0txvBK5W /IVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=kFbjBr7UMvyzvcYieXJBZG/WU/gEj2TOCdbQUeQfJWg=; b=Epi2GEeX4GBpqmz1kBuVCqZ19yTB2uzSDFPoW93I7ooNF7u0W1lHSKDJBlFy10Bvx7 d07ks1EIDEwhfKA06tiuGfwjSfHgBwPK3CaQfga1OUcAYL4C+Jm4+08SJz3Cl6nJQrUK ooj5mCEpMf7amfdMc6aGIgoW1TY3MUETpsQACjzSPFR/a8AOWnyiop720r5+/uSdHNxN kqeWhM0l8twtvPxUOLh9Rw24Z7845CDNJF/KdHTnHsGu8Dm9joZRwCM727VkomcqyuEm zcI1V5X3g9pUzLsG8+GILtJ3leQiUQZIf2zsakmMf9b9mb1sL/vbrTziJO1uXaWs8l+o fV7Q==
X-Gm-Message-State: AOAM531WqkStPhDhOll0z2azJ8c7M7lhY9BXH+sZ8ME1Mlds2yBsE56d IjZUPP6W0lF/0TrKeVhtoJ8mQHtY3iTOPxktX/FemZcSDXjig8kp
X-Google-Smtp-Source: ABdhPJwG1lVBgxEMceEKVzX6KwcYvSWSH64Q7P7h9zTzJhbdLunawsoxWR8rrz4rtYYbewSe0ut4UElSJKrCFze8OWk=
X-Received: by 2002:ac8:120a:: with SMTP id x10mr4223095qti.95.1603988631488; Thu, 29 Oct 2020 09:23:51 -0700 (PDT)
MIME-Version: 1.0
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 29 Oct 2020 09:23:40 -0700
Message-ID: <CAOgPGoDbsunLOxrnFxa8uMxG6JYObX_r5VLOvVib5QmFHGOrwA@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009ab73c05b2d1b4d4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/kvwl5pRWEPrca2OdX7MjpF_nw5o>
Subject: [Emu] Consensus Call on OCSP usage in draft-ietf-emu-eap-tls13-11
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 16:23:54 -0000

An issue was raised in a review of  draft-ietf-emu-eap-tls13-11 on the
mandatory requirement for OCSP stapling [1].  The document makes the use of
OCSP mandatory in section 5.4 [2]. Several folks have pointed out that this
may not be feasible in all deployments.  This is a quick consensus call for
this issue.   Please indicate which option below you support and why.
Please respond by November 5, 2020.

1. Keep the text as is with OCSP mandatory for all implementations

2. Require Servers to Implement and Recommended to Use OCSP with text
similar to the following:

“EAP-TLS servers supporting TLS 1.3 MUST implement Certificate Status
Requests (OCSP stapling) as specified in Section 4.4.2.1 of [RFC8446].  It
is RECOMMENDED that EAP-TLS peers and servers use OCSP stapling for
verifying the status of server certificates as specified in Section 4.4.2.1
of [RFC8446]. When an EAP-TLS peer uses OCSP to verify the certificate
status of the EAP-TLS server, it MUST use Certificate Status Requests for
the server's certificate chain and it MUST treat a CertificateEntry (except
the trust anchor) without a valid CertificateStatus extension as invalid
and abort the handshake with an appropriate alert.“

Thanks,

Joe

[1] https://mailarchive.ietf.org/arch/msg/emu/0DnfUWPqvKX0_Wo8s-ZypergMHI/
[2] https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-11#section-5.4

v2.23.0 | Report a Bug | By Email