IETF Logo Mail Archive

[Emu] Re: Call for adoption: draft-reddy-emu-pqc-eap-tls-03 (Ends 2026-05-12)

tirumal reddy <kondtir@gmail.com> Wed, 29 April 2026 07:08 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: emu@mail2.ietf.org
Delivered-To: emu@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 62DC9E574E97 for <emu@mail2.ietf.org>; Wed, 29 Apr 2026 00:08:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777446497; bh=i0BdaGpLhj2sp7en2dpCS1tlj0dtvJ7FrVq1e8FQPS4=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=O6NTsNFPVra2a5o1lDQqndSlIn7kB3ZautaMHTVoTuSsQXSVIo1aLqicuuuV+VB6b KDVC7ZN7qYwtdzLQpz1BFlBOdh0Y0YwUZD/jvcnkygrdwrOEdHkNn1GpDElsPDiXy0 +bBziecmuA0+xD1x5gXKfeDRnO+X3vel9Sm2a1t4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kj-zgXTkCHHP for <emu@mail2.ietf.org>; Wed, 29 Apr 2026 00:08:16 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 93FC5E574E90 for <emu@ietf.org>; Wed, 29 Apr 2026 00:08:16 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-678e678970fso6540631a12.2 for <emu@ietf.org>; Wed, 29 Apr 2026 00:08:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777446495; cv=none; d=google.com; s=arc-20240605; b=Po91zCCD4QEMtvDAKbyp8PSjwHZz6YJTFznnxvbhhlptcf7nXuHmimN65kbB0oSusW kAb8YV1h9IR3SIRITodIO+gD+n6lolrDxK6PJzm7UxxDo2xJTxvn16xchd4CMRZEFqWB fAMK/+QqLok1F3yyVU70JKz58iBXzDQOjnQ3PmOLJCSXWI3AYJ28fcIC/mfcqR2IwKg/ 9U/uw2Aqq1zXEBcsxc5zpiEVnxeL5U/UdNYOKBF9fUQYnmh/erqztBkbNcdqxO2pUTZv Lek5BlDyC+mLIesm5lsXaxU1i7kLFj0P8wZaexyLTMHX/Kmw4A7jiUFTP4ZK5G8mIZo1 6o7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ZYw23cPccjkpsime8X6xbzpu8RrlB/ncJKqO9ajMhSs=; fh=oLGLjTEYgHhNTaw6J9yMhRcWdC9J/FL/1PDq+CJVKSE=; b=HBn8gSN2o2wuCIyPeZgSpy74kmF1lhMuPxbzAeTSPKZTZXVAfuomoxsxIm8GA33Rtx Wg1iHDpWNSbkv2GTeZRve/X8l61j9zEa92HjQTfpTPBdz83zBSTNkXkyxSHrrKvRrShi wMaimhfGOlLccWQUU9A7LZwzA+J4NEP8gUJydf4tojMT3dMby93KAzYO/yvMWzwKsJCe BbMrBNHFufbckDG7OnOBLwvE6RnMZYhRvQvM8/S144BhofeDSk68HP6jBwrI4tUr4/Qa BX1P196AsqgMkIqeBNQHMEn1JqLqBtDjqKbwJ3HhAnigEJdaBN4SnR4P/SG+FySjVT2w JrEA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777446495; x=1778051295; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZYw23cPccjkpsime8X6xbzpu8RrlB/ncJKqO9ajMhSs=; b=d8HEIS/iCJwMY4OLLqTFIDPzu2hP+nSxNG+hircn/Y5eab0H1oL/ZgXvP6r+ZESz/O VtSYEmFI865i5i0tKqVViZCDaPz+zN0Ux12D/8THqCLI0cJ8fYW0tGXTpLREmua2T3/9 Md/xbXdjE417tvDuWzTddIVGxuWhMlyG9HDvz2eLngf825kY8wgVquCUBzcAUZ0WKTGX y9FivQXhtCQ1lebmHrCHXsGGwDMNFPoEztpk3cxJpeVoG/DpnNns7alPFCsjO9neWopD 3Jyz7jbFN4ywMw1vn4nRI0GPzzoprQs+iw80Cn2FXy/pm93S4ZQWG3jGfu3Vquzb9oqn tMjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777446495; x=1778051295; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZYw23cPccjkpsime8X6xbzpu8RrlB/ncJKqO9ajMhSs=; b=TYOTq7Zq8tvWT9HeKO3gWl4VgztL+xCW7mfTPsuW0cOzEpoJ79ZcyzTrnvMw60JVWq XYMmYp0q8xKVv+Iw/TEQr8zK8gFyp77wy/zU+lCDedRwJT0K8Ozpajty8/gqWhnPFvz4 IFODKokRwcTDY5ZmfTDCmyTv1SFDWpEWzVK/dvDWHURNujKK6fZ4aTTgWfVsPZgRda79 xKT0V2sFMQN+54LlhsQ4qtac6T8NWwePWULKM5XGnQeiYS6MPdH3MkFXoRf9YE4+rZ7L B0Xnb1vdlT5/zSAmadE48pue5FAON2JNlhi4fTkfHh4LqXJMiDJxJk6mNJVrjnwhJUQa EqFQ==
X-Forwarded-Encrypted: i=1; AFNElJ/1/wey3qorqFa8qah+jjYhIresBPwD9dGkpW6v0ZN9oABXBAN/3yvQ+paVX449gFPVvyQ=@ietf.org
X-Gm-Message-State: AOJu0YyYRLbCi3mNe6NhTEw54seks46JQcFXQPNn+DM3P91t3uhEl2Pe ZJU7icgH1lZbqhcb92wXi5BbXgQq7F3223Y+yvVP2CblZ1+B+BYxRSZ4lUDKaOBsZaS8b+rQ3q9 qQdAe2EeE0dMD+5h8PA8JJvqTybEjTGrYrjpV
X-Gm-Gg: AeBDievXgwaHAWcWQYDp6a7sUDNmqWhNJ/rvdlTvpJ0APSfPgRiJUrjqc+V0Icd8O9Z XpxB9sxFhbpyI3BR3g0VyFhE4iKpSTKICxo1unGnDr0c/gVMWpJz72TeM8EkOMNmXcyZ6oK1c8C +22UxD62E/krLq0E8ib9HYH+lbEvrS5Pa5NJjRCFM2gTc0nSrhVA9Jzzjq5ZcJWA3CXCumPpA/T 4dykDKRsflXl4f30NV7JZ7yrdxxLroFjn+iljKESpES8BG/wWaK3xsIXr66pFL6BjkuqAwR8GkA 5XVTDF21ED75yc6PPQ==
X-Received: by 2002:a17:907:3947:b0:ba6:8e19:a50a with SMTP id a640c23a62f3a-bb93ca95d16mr146170666b.12.1777446495317; Wed, 29 Apr 2026 00:08:15 -0700 (PDT)
MIME-Version: 1.0
References: <177737188720.672.9610067155376320831@dt-datatracker-b45949c58-t72jx> <5F0A9979-DFC3-49F8-A8EF-639B8422246C@akayla.com> <c8728f96-6422-4bb9-a762-96c06b6462c9@lear.ch> <CAFpG3gd4_1SCaJ2a88SRS7aAm=C_-wSYNGNPb=3TgWOdCy6WFQ@mail.gmail.com> <24a36783-ca93-4196-a214-2e3a42ede6d7@lear.ch> <CAFpG3ge+kJ15qEVDFVn_ZpaM0cO4USZgEiSpOM__CKhtus1zHQ@mail.gmail.com> <c2a8b45d-55b3-499b-b527-f6b4e7b96060@lear.ch>
In-Reply-To: <c2a8b45d-55b3-499b-b527-f6b4e7b96060@lear.ch>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 29 Apr 2026 12:37:37 +0530
X-Gm-Features: AVHnY4JiQM__zelZtgvtGhSGokh6_efGB5VkpTw_gHFK46y-XIFg1Qulc1qqsQE
Message-ID: <CAFpG3gcuTAGWXfdKOq2X_g7SsB6cgAdW-aq9Qoeam9dmzbrYYw@mail.gmail.com>
To: Eliot Lear <lear@lear.ch>
Content-Type: multipart/alternative; boundary="000000000000f5fa1e0650940236"
Message-ID-Hash: BJWDUV35IK4B4CYSVAADNS57X7G3KXH6
X-Message-ID-Hash: BJWDUV35IK4B4CYSVAADNS57X7G3KXH6
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-emu.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: emu@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Emu] Re: Call for adoption: draft-reddy-emu-pqc-eap-tls-03 (Ends 2026-05-12)
List-Id: "EAP Methods Update (EMU)" <emu.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/7HLmWMMQXpb79xPfRnrBWFlQGY8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Owner: <mailto:emu-owner@ietf.org>
List-Post: <mailto:emu@ietf.org>
List-Subscribe: <mailto:emu-join@ietf.org>
List-Unsubscribe: <mailto:emu-leave@ietf.org>

On Wed, 29 Apr 2026 at 11:53, Eliot Lear <lear@lear.ch> wrote:

> Hi Tiru
> On 29.04.2026 08:01, tirumal reddy wrote:
>
> On Tue, 28 Apr 2026 at 20:43, Eliot Lear <lear@lear.ch> wrote:
>
>> Tiru,
>>
>> The reason I asked both questions is that EAP-TLS in particular is
>> implemented on some 802.15.4 networks that can be lossy, low bandwidth,
>> with low MTU.  I think it's a good idea to have at least some feel for what
>> we're in for with very large keys/certs.
>>
> Valid point.  The handshake size impact in constrained networks like
> 802.15.4 comes from both large PQC certificates and large PQC KEM public
> keys, particularly with PQ/T hybrid schemes. The EST pre-fetching
> optimization discussed in this draft and the optimizations discussed in
> ietf-uta-pqc-app, including certificate chain optimization and optimizing
> ClientHello for Hybrid Key Exchange in TLS Handshake would help reduce this
> overhead. Implementation experience in these environments would be helpful.
>
> Ok, I see what your intent is.  *I *don't think the draft is properly
> structured.  There are numerous ways to get certificates into devices, and
> EST is only one of them.  In fact, specifically with TEAP certificates are
> delivered via TEAP.  The draft should focus on changes required (if any) to
> deliver PQC and to reduce the hello/handshake sizes.  How the intermediate
> certificates are configured is separate.  We are already starting work on
> TEAPv2.  There is already an implementation in hostap.  It would not be
> difficult to add the same level of functionality there.  However, I am not
> yet convinced that this is the correct optimization, and would prefer that
> we give just a bit more thought... yeah, to PLANTS to see if we can adopt
> that work in some way here. The challenge is the circular connectivity
> dependency, but if you're talking about pre-fetching here, that might
> provide alternatives there.
>
The draft is structured around three distinct concerns: PQC key exchange
for long-term confidentiality, PQ authentication, and handshake size
reduction. The EST integration in Section 5 is one proposed optimization
for reducing handshake overhead by pre-fetching intermediate certificates.
I agree that there are other mechanisms for certificate delivery.
The circular connectivity dependency challenge in PLANTS could be addressed
using EST, where the EST server acts as the transparency service, and
devices periodically fetch updated landmarks from it similar to how
browsers periodically fetch updated landmarks from the transparency service
in WebPKI. I am open to discussing PLANTS integration in the draft if there
is interest from the WG.

Cheers,
-Tiru

Eliot
>
>
> -Tiru
>
>> Eliot
>> On 28.04.2026 15:27, tirumal reddy wrote:
>>
>> On Tue, 28 Apr 2026 at 17:12, Eliot Lear <lear@lear.ch> wrote:
>>
>>> Hi Peter and colleagues,
>>>
>>> Has anyone created a test implementation with hostap to see if there are
>>> any ill effects from large key sizes?  Also, I would like to understand the
>>> relationship of this work, if any, to PLANTS.
>>>
>> No, the draft does not discuss merkle-tree certificates. PLANTS targets
>> WebPKI. While Merkle-tree certificates would help reduce PQC certificate
>> sizes in EAP deployments, their applicability in this context requires
>> further analysis.
>>
>> -Tiru
>>
>>> Eliot
>>> On 28.04.2026 12:33, Peter Yee wrote:
>>>
>>> I've issued a WG call for adoption on draft-reddy-emu-pqc-eap-tls and would really like to get opinions on whether this work ought to be adopted. The document is fairly short and the only normative section covers additions to EST (RFC 7030) for optimization purposes by allowing the retrieval of intermediate portions of EAP client and EAP server certificate chains to obviate needing to pass them in-band in the TLS handshake. That part runs 2 pages.
>>>
>>> Please take a look and send your comments for or against adoption to the mailing list by May 12th.
>>>
>>> Thank you in advance.
>>>
>>> 		-Peter
>>>
>>> On 4/28/26, 11:24 AM, "Peter Yee via Datatracker" <noreply@ietf.org> <noreply@ietf.org> wrote:
>>>
>>> This message starts a emu WG Call for Adoption of:
>>> draft-reddy-emu-pqc-eap-tls-03
>>>
>>> This Working Group Call for Adoption ends on 2026-05-12
>>>
>>> Abstract:
>>> This document proposes enhancements to TLS-based EAP methods,
>>> including the Extensible Authentication Protocol with Transport Layer
>>> Security (EAP-TLS), EAP Tunneled TLS (EAP-TTLS), Protected EAP
>>> (PEAP), and EAP Tunnel Method (TEAP), to incorporate post-quantum
>>> cryptographic mechanisms. It also addresses challenges related to
>>> large certificate sizes and long certificate chains, as identified in
>>> [RFC9191], and provides recommendations for integrating PQC
>>> algorithms into TLS-based EAP deployments.
>>>
>>> Please reply to this message and indicate whether or not you support adoption
>>> of this Internet-Draft by the emu WG. Comments to explain your preference are
>>> greatly appreciated. Please reply to all recipients of this message and
>>> include this message in your response.
>>>
>>> Authors, and WG participants in general, are reminded of the Intellectual
>>> Property Rights (IPR) disclosure obligations described in BCP 79 [2].
>>> Appropriate IPR disclosures required for full conformance with the provisions
>>> of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any.
>>> Sanctions available for application to violators of IETF IPR Policy can be
>>> found at [3].
>>>
>>> Thank you.
>>> [1] https://datatracker.ietf.org/doc/bcp78/
>>> [2] https://datatracker.ietf.org/doc/bcp79/
>>> [3] https://datatracker.ietf.org/doc/rfc6701/
>>>
>>> The IETF datatracker status page for this Internet-Draft is:https://datatracker.ietf.org/doc/draft-reddy-emu-pqc-eap-tls/
>>>
>>> There is also an HTML version available at:https://www.ietf.org/archive/id/draft-reddy-emu-pqc-eap-tls-03.html
>>>
>>> A diff from the previous version is available at:https://author-tools.ietf.org/iddiff?url2=draft-reddy-emu-pqc-eap-tls-03
>>>
>>>
>>>
>>> _______________________________________________
>>> Emu mailing list -- emu@ietf.org
>>> To unsubscribe send an email to emu-leave@ietf.org
>>>
>>> _______________________________________________
>>> Emu mailing list -- emu@ietf.org
>>> To unsubscribe send an email to emu-leave@ietf.org
>>>
>>

v2.43.4 | Report a Bug | By Email | System Status