Hi, I'm currently looking at https://www.ietf.org/id/draft-mattsson-eap-tls13-02.txt. It states that: While Elliptic Curve Cryptography (ECC) was optional for earlier version of TLS, TLS 1.3 mandates support of ECC (see Section 9 of [I-D.ietf-tls-tls13]). To avoid fragmentation, the use of ECC in certificates, signature algorithms, and groups are RECOMMENDED when using EAP-TLS with TLS 1.3 or higher. That sounds like useful avice. I'm wondering though what to do if you have a diverse variety of client devices doing EAP; some of which only do TLS 1.2 while others do TLS 1.3. The EAP server can only present one certificate to its incoming peer connections. If it has a ECDSA certificate, there's a chance for an interop problem with TLS 1.2 clients not supporting the needed cipher suites. If it has a RSA certificate, it misses out on the small-cert benefits. I wonder if it's possible to have both certificates available to the server, with a late selection: depending on which TLS version has been negotiated, present one cert or the other. Is that kind of stuff doable? It would certainly make a transition easier... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66