Hi, We have submitted a new version of the draft. The changes concern re-organization of the text to distinguish which recommendations require changing certificates, and which require changing code. We are soliciting text on guidelines for certificates used in EAP-TLS.
Comments on the changes as well as reviews of the whole document are very welcome. Cheers, John -----Original Message----- From: "internet-dra...@ietf.org" <internet-dra...@ietf.org> Date: Monday, 22 October 2018 at 12:26 To: Mohit Sethi <mo...@piuha.net>, John Mattsson <john.matts...@ericsson.com> Subject: New Version Notification for draft-ms-emu-eaptlscert-01.txt A new version of I-D, draft-ms-emu-eaptlscert-01.txt has been successfully submitted by John Mattsson and posted to the IETF repository. Name: draft-ms-emu-eaptlscert Revision: 01 Title: Handling Large Certificates and Long Certificate Chains in EAP-TLS Document date: 2018-10-22 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-ms-emu-eaptlscert-01.txt Status: https://datatracker.ietf.org/doc/draft-ms-emu-eaptlscert/ Htmlized: https://tools.ietf.org/html/draft-ms-emu-eaptlscert-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-ms-emu-eaptlscert Diff: https://www.ietf.org/rfcdiff?url2=draft-ms-emu-eaptlscert-01 Abstract: Extensible Authentication Protocol (EAP) provides support for multiple authentication methods. EAP-Transport Layer Security (EAP- TLS) provides means for key derivation and strong mutual authentication with certificates. However, certificates can often be relatively large in size. The certificate chain to the root-of-trust can also be long when multiple intermediate Certification Authorities (CAs) are involved. This implies that EAP-TLS authentication needs to be fragmented into many smaller packets for transportation over the lower-layer. Such fragmentation can not only negatively affect the latency, but also results in implementation challenges. For example, many authenticator (access point) implementations will drop an EAP session if it hasn't finished after 40 - 50 packets. This can result in failed authentication even when the two communicating parties have the correct credentials for mutual authentication. Moreover, there are no mechanisms available to easily recover from such situations. This memo looks at the problem in detail and discusses the solutions available to overcome these deployment challenges. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
