[Joe] The KDF needs to be looked at, but I do not think it is necessarily a show stopper, it does provide KDF agility. Reports from people who implemented EAP-GPSK indicate that it was simple to implement. I have heard push back from embedded system implementers on EAP-TLS stating that it is too complex, this may be a result of certificate support I am not sure.
In my experience, adding certificate support dramatically increases footprint. For example, as I recall IKEv1/IPsec with AES CBC/HMAC-SHA1 is around 250 KB or so if we're just talking about pre-shared key authentication but if you add certificate support that is another 750 KB, which will be too big for some applications.
I would think that the same logic applies to EAP-TLS-PSK. Of course that would require a stripped down implemenation of TLS that only supported TLS-PSK, no certificates. I guess that doesn't exist yet? If you had to pull in all of say, Open SSL plus add TLS-PSK support, that would almost certainly make it too large for many embedded applications.
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
