Skip to main content

Handling Large Certificates and Long Certificate Chains in TLS-based EAP Methods

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 9191.
Expired & archived
Authors Mohit Sethi , John Preuß Mattsson , Sean Turner
Last updated 2020-03-01 (Latest revision 2019-08-13)
Replaces draft-ms-emu-eaptlscert
RFC stream Internet Engineering Task Force (IETF)
OPSDIR Last Call Review Incomplete, due 2020-10-28
Additional resources Mailing list discussion
Stream WG state In WG Last Call
Associated WG milestone
Nov 2019
WG last call on operational recommendations for large certificate and chain sizes
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


EAP-TLS and other TLS-based EAP methods are widely deployed and used for network access authentication. Large certificates and long certificate chains combined with authenticators that drop an EAP session after only 40 - 50 round-trips is a major deployment problem. This memo looks at the this problem in detail and describes the potential solutions available.


Mohit Sethi
John Preuß Mattsson
Sean Turner

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)