On Fri, Jul 25, 2014 at 11:43:41PM +0200, BlueStar88 wrote:
> Well, you made many words, thank you for that patience! Now I think my
> false assumption (and underlying expectation) was, that this "backfiring"
> client certificate verification leads to at least some assessment about
> the connections integrity. But it does not, because it's just like showing
> a passport and has in fact nothing to do with the current underlying TLS
> link, correct so far?
With client certificates, the server can be more confident that
there is no MiTM between the party with the private key for the
presented certificate and the server. Of course since the server
has no idea whose certificate to expect, nor any particular way to
distinguish one certificate holder from another, there is no benefit
to MiTM detection unless the server in fact has some way to
distinguish some clients from others.
--
Viktor.
