Alan DeKok said: " It may also be worth re-examining EAP-TLS. Modern certificates are getting large, and people are using longer certificate chains. The result can be that initial EAP-TLS authentication takes many packets. This has issues not just for latency, but also access point implementations. Most implementations will drop an EAP session if it hasn't finished after 40-50 packets. I've seen people run into this issue with large certificates and long certificate chains. It would be good to find a way to allow this use-case."
[BA] I have encountered this problem in a number of situations, particularly in enterprise deployments with several levels of intermediate CAs. Since the certificate hierarchy is relatively static, this seems like a problem that could be addressed via caching. For example, if client A has previously authenticated to server B and has cached the certificate chain, why does it need to be transmitted again? Similarly, if server B has already cached certificates from intermediate CAs, why does the client need to transmit that information again? Seems like this could be addressed by a small extension to TLS.
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
