[Emu] Re: New Version Notification for draft-reddy-emu-pqc-eap-tls-00.txt

Wed, 09 Jul 2025 10:41:02 -0700 

Alan DeKok <[email protected]> wrote:
    > On Jul 9, 2025, at 1:08 AM, tirumal reddy <[email protected]> wrote:
    >> The draft
    >> https://datatracker.ietf.org/doc/draft-reddy-emu-pqc-eap-tls/ proposes
    >> enhancements to EAP-TLS and EAP-TTLS to incorporate PQC mechanisms. It
    >> also addresses challenges related to large certificate sizes and long
    >> certificate chains, and provides recommendations for integrating PQC
    >> algorithms into EAP-TLS and EAP-TTLS deployments.

    >   I won 't speak to the PQC issues, but I do have other comments.

    >   The proposed URLs are of the form

    >   /.well-known/est/eapservercertchain
    > /.well-known/est/eapclientcertchain

    >   I would suggest separating those out into subdirectories:

>       /.well-known/est/eap/server/cert/chain

EST says that /.well-known/est/FOOBAR is already a thing, and that it refers
to some kind of specific purpose CA.  So if a client needs a specific
application certificate, that it would use this.
I think that it hasn't been used much in the field, but I could be completely
uninformed here.    So I like the more descriptive URL, but it might conflict.

RFC8995 initially created an EST registry, to which it added to.
Then it changed it's mind and moved to /.well-known/brski for everything.
(very late)
I was actually looking for the EST registry on IANA.org yesterday, but I
think that IANA withdrew that.

    >   The main benefit I see of this proposal is the removal of the need to
    > exchange large certificate chains.  That behavior is historical.  There
    > have been various small attempts to address it over the years.  This is
    > the first proposal I've seen which is practical.

    >   What happens when the chain is modified.  Are the clients and servers
    > supposed to cache the chains?  Doing so would help with performance,
    > but it could also affect the ability to update the chains.

I will have to go read this document to understand how the specific
certificiate chain is identitied.

--
Michael Richardson <[email protected]>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Emu mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to