Open thomas-fossati opened 2 years ago
@mcr bread crumbs.
@mcr how can we make this issue more actionable?
Can you propose some text?
Are you asking for the section to be removed?
Re-reading -05, since it's been awhile.
Avoid deep and complex CA hierarchies to reduce the number of subordinate CA certificates that need to be transmitted. I suggest you reference https://www.ietf.org/archive/id/draft-irtf-t2trg-taxonomy-manufacturer-anchors-00.html#name-number-of-levels-of-certification here.
Use session resumption to reduce the number of times a full handshake is needed. Use Connection IDs [DTLS-CID], when possible, to enable long-lasting connections. I have wondered whether some devices might initiate a TLS session in the factory, load a session resumption ticket valid for years to decades, and just ALWAYS use that.
Use client certificate URLs [RFC6066] instead of full certificates for clients. please also reference https://datatracker.ietf.org/doc/draft-ietf-dance-tls-clientid/
Whether to utilize any of the above extensions or a combination of them depends on the anticipated deployment environment, the availability of code, and the constraints imposed by already deployed infrastructure (e.g., CA infrastructure, tool support). too wishy-washy. Let's actually set some goals that people can code against, and that enterprises can specify that they want. (Section 18 is way more specific, and I like that)
From MCR review: