On Mon, 24 Aug 2015, Eric Rescorla wrote:
TLS 1.3 encrypts both the client's and server's certificates already. The server's certificate is secure only against passive attack.
Not having read the TLS 1.3 draft, in IKE parties can send a hash of the CAs they trust, so unless you receive a hash of a known CA to you, you can withold your own certificate from being sent. Is a similar mechanism not planned for TLS 1.3? Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
