I wonder if MT is thinking forward to something like KEMTLS which used a
KEM to prove possession to the peer?
In any case, I think it would be good design criterion for TLS that it
offer the same level of security -- including against identity misbinding
attacks -- even if the CA does not verify P
Martin:
In TLS 1.3, this is not an issue because only the signature key gets certified.
Russ
> On Oct 4, 2022, at 10:39 PM, Martin Thomson wrote:
>
> The integrity of TLS doesn't depend on the key holder presenting proof of
> possession toward the issuing CA. Perhaps we could define an exten
