On Mon, Aug 24, 2015 at 05:33:18PM -0400, Paul Wouters wrote:
> On Mon, 24 Aug 2015, Eric Rescorla wrote:
>
> >TLS 1.3 encrypts both the client's and server's certificates already.
> >The server's certificate is secure only against passive attack.
>
> Not having read the TLS 1.3 draft, in IKE parties can send a hash of the
> CAs they trust, so unless you receive a hash of a known CA to you, you
> can withold your own certificate from being sent.
>
> Is a similar mechanism not planned for TLS 1.3?
This would break DANE, unless the mechanism also allowed the client
to send a TLSA RRset instead, with the server then needing code to
figure out which chains match which TLSA RRs. This is I think too
complex.
If the client is willing to live without any certificate at all,
it can include anon-(EC)DH ciphersuites in its cipherlist at a
higher preference than any ciphersuites that use certificates..
Otherwise, the server sends a suitable chain per SNI and
closest match to supported signature algorithms.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
