On Jul 9, 2025, at 1:08 AM, tirumal reddy <[email protected]> wrote:
> The draft https://datatracker.ietf.org/doc/draft-reddy-emu-pqc-eap-tls/
> proposes enhancements to EAP-TLS and EAP-TTLS to incorporate PQC mechanisms.
> It also addresses challenges related to large certificate sizes and long
> certificate chains, and provides recommendations for integrating PQC
> algorithms into EAP-TLS and EAP-TTLS deployments.
I won 't speak to the PQC issues, but I do have other comments.
The proposed URLs are of the form
/.well-known/est/eapservercertchain
/.well-known/est/eapclientcertchain
I would suggest separating those out into subdirectories:
/.well-known/est/eap/server/cert/chain
This is a minor point. Having a hierarchy of names is better than long names
at the top level. It allows for future expansion within a scoped hierarchy.
I'd also suggest associated DNS records, using the URI type:
_chain._server._eap.DOMAIN URI
"https://DOMAIN/.well-known/est/eap/server/cert/chain
<https://domain/.well-known/est/eap/client/cert/chain>
The DNS RR isn't strictly needed for this proposal, but it can make client
configuration easier.
The main benefit I see of this proposal is the removal of the need to
exchange large certificate chains. That behavior is historical. There have
been various small attempts to address it over the years. This is the first
proposal I've seen which is practical.
What happens when the chain is modified. Are the clients and servers
supposed to cache the chains? Doing so would help with performance, but it
could also affect the ability to update the chains.
Alan DeKok.
_______________________________________________
Emu mailing list -- [email protected]
To unsubscribe send an email to [email protected]
