RE: [Emu] 2716bis13: Support of certificate_status extension

To: "Nakhjiri Madjid-VXT746" <madjid.nakhjiri at motorola.com>, <bernarda at windows.microsoft.com>, <emu at ietf.org>
Subject: RE: [Emu] 2716bis13: Support of certificate_status extension
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Tue, 22 Jan 2008 12:30:31 -0800
Authentication-results: sj-dkim-3; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc:
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2319; t=1201033796; x=1201897796; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Emu]=202716bis13=3A=20Support=20of=20c ertificate_status=20extension |Sender:=20; bh=PebKHMEDIoyJ0ym0bqPs5s3vSWNRg43G1vxj6iv68Jo=; b=gS7iiSaOut8alENt6IBd0ohXPicI0QXQo5GUXrTqgRF7F4t3LMLuvKS+u0 zFX5s7dcFiOCjxrjan5Cz7g98DDPTtFvn3LIKfmD2PwQYO0ApRbG9+RrncI/ twDv2Lr7+M;
In-reply-to: <13E2E485D9AA7240A1C55B0B464198B20199658B@ct11exm63.ds.mot.com>
List-archive: <http://www1.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
Thread-index: AchaNv/onGCcc/q/T6S06AkIO4YMeAC/iRRg
Thread-topic: [Emu] 2716bis13: Support of certificate_status extension

Hi Madjid,

Comments inline below: 

> -----Original Message-----
> From: Nakhjiri Madjid-VXT746 [mailto:madjid.nakhjiri at motorola.com] 
> Sent: Friday, January 18, 2008 5:03 PM
> To: bernarda at windows.microsoft.com; emu at ietf.org
> Subject: [Emu] 2716bis13: Support of certificate_status extension
> 
> Hi, 
>  
> Question on the following text: 
> 
>  
> 
> "However, in the case where the EAP-TLS peer is attempting to 
> obtain network access, it will not have network connectivity 
> and is therefore not capable of checking for certificate 
> revocation until after authentication completes and network 
> connectivity is available. For this reason EAP-TLS peers and 
> servers SHOULD implement Certificate Status Request messages, 
> as described in "Transport Layer Security (TLS) Extensions" 
> [RFC4366] section 3.6.  To enable revocation checking in 
> situations where servers do not support Certificate Status 
> Request messages and network connectivity is not available 
> prior to authentication completion, peer implementations MUST 
> also support checking for certificate revocation after 
> authentication completes and network connectivity is 
> available, and they SHOULD utilize this capability by default."
> 
>  
> 
> In cases where the server does not support the 
> certificate_status extension, this is a little awkward, the 
> server's cert is expired, but the server does not support the 
> extension. The client has already gotten access to the 
> network after EAP-TLS and so both TLS and the EAP exchange is 
> terminated by an EAP Success. How is the spec suggesting the 
> client to perform the revocation checking? 

[Joe] Once the client has network access it can attempt to access CRLs
or certificate status services using existing mechanisms (CRL
distribution points, OCSP, etc.) 

> and what is the 
> process to break the network access (ignoring the question on 
> why a client who would otherwise be a paying customer, really 
> wanted this) after already have gained the access?
> 
[Joe] The process depends upon the client and underlying network access
technology. 

>  
> 
> Thanks,
> 
>  
> 
> Madjid 
> 
>  
> 
> 


_______________________________________________
Emu mailing list
Emu at ietf.org
https://www1.ietf.org/mailman/listinfo/emu

Follow-Ups:
- RE: [Emu] 2716bis13: Support of certificate_status extension
  - From: Nakhjiri Madjid-VXT746

References:
- [Emu] 2716bis13: Support of certificate_status extension
  - From: Nakhjiri Madjid-VXT746

Prev by Date: RE: [Emu] EMU charter update,
Next by Date: RE: [Emu] EMU charter update,
Previous by thread: [Emu] 2716bis13: Support of certificate_status extension
Next by thread: RE: [Emu] 2716bis13: Support of certificate_status extension
Index(es):
- Date
- Thread

RE: [Emu] 2716bis13: Support of certificate_status extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.