On Mon, Aug 24, 2015 at 11:17 PM, Eric Rescorla <e...@rtfm.com> wrote:
> > > TLS 1.3 encrypts both the client's and server's certificates already. > The server's certificate is secure only against passive attack. The > client's is encrypted with a key that the client can authenticate as > belonging to the server. > > It's good to see that both the client's and the server's certificates are encrypted in TLS 1.3, providing protection against passive eavesdropping. For some use cases it might be worthwhile to reduce the information made available to an active attacker also. Are there any suggestions in this direction for TLS 1.3? One might think of a multi stage approach, something like: - Anonymous connection establishment, resulting in a secure channel. - Authentication by means of group certificate. - Authentication by means of a host specific certificate. The purpose of the second step above is to first only provide the group identity to an active attacker, and then to reveal the host identities (certificate information) only after group membership has been mutually authenticated. Does something like this seem reasonable for TLS 1.3 or are there any other ways for providing protection of identities against an active attack? Best regards Viktor S. Wold Eide
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
