Andrei proposes two changes in https://github.com/tlswg/tls13-spec/pull/209
The first expands the ways in which a server can identify certificates. This is fine. I do wonder whether we can remove CertificateType entirely for TLS 1.3 though (that can be done separately). The second is worrisome. I don't like that a handshake message now has two different potential locations that it might appear in. That seems like a hazard. I think that we need a new content type for a new message that can be used after the handshake completes. Then there are two options: a) remove CertificateRequest from the handshake entirely and allow the handshake to complete before authenticating (this has a number of hazards that make it probably worse than the duplication it addresses) b) use CertificateRequest within the handshake, and the new content type outside of it _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
