On Fri, 16 Oct 2015, Rick van Rein wrote:
3) Similar to OpenPGP: Negotiate cert-type
There is a cert-type for X.509 and for OpenPGP; add one for Kerberos Tickets.
PRO: Good integration with TLS: Tickets are transported in the
ClientCertificate, and an Authenticator is the ClientVerify. DH is independent
and can move to the earlier phase for TLS 1.3.
How is this type of TLS connection prevented from being MITM'ed by
someone replaying kerberos tickets (which it cannot read itself)
Paul
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
