Hi Alan, > Tschofenig, Hannes (NSN - FI/Espoo) wrote: > > Ask yourself: Is there indeed a problem with transferring the “long” > > public keys (of the client, as you state below)? > > I've seen this be a problem when the long keys require too many round > trips. ~20K of data, or ~20 round trips is about the limit.
For TLS client authentication I am wondering why a certificate chain needs to be transmitted to the server. > One way to optimize this is to *not* send the certificates on every > authentication. Correct. One could use the cached info extension if the size is a concern but I don't think it actually is. > All implementations I've seen currently exchange all > of > the certs, including any CA chain. But I'm not sure that this is > required. This seems to be the result of misconfiguration. > Sending only client/server cert would minimize the number of round > trips. That's what should be done. Ciao Hannes > > Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
