Alan, John, > On Dec 22, 2017, at 1:12 PM, John Mattsson <[email protected]> wrote: >> In TLS 1.3, ECC is mandatory to support. This drastically reduces the sizes >> of certificates and signatures (public key sizes from 384 bytes (RSA and >> DHE) to 32 bytes (ECDHE) and signatures from 384 bytes (RSA) to 64 bytes >> (ECDSA and EdDSA) ). > > This doesn't help people with established certificates, business practices, > etc. > >> Anything for older version of TLS would have to be pure recommendations or >> guidance to preserve backward compatibility. I think we should update the >> charter to cover guidance on how to handle large certificates and long >> certificate chains in EAP-TLS with all versions of TLS. This could be >> handled in the same bullet as “guidance or update to enable the use of TLS >> 1.3”. > > That would definitely be useful.
I think all this calls for something in the charter. The substance of what we actually say in any final documents is something that we’ll need to work on in the coming months, but for now I think something about understanding and documenting the issues and making recommendations where possible suffices. Some of this is a choice in the hands of whoever deploys EAP servers (e.g., cert chains, algorithms) while other things may be harder to change (what clients support, what existing NASes consider a maximum message number limits, etc). Jari _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
