----- Original Message ----- > Hello, > 3) Similar to OpenPGP: Negotiate cert-type > > There is a cert-type for X.509 and for OpenPGP; add one for Kerberos Tickets.
> PRO: Good integration with TLS: Tickets are transported in the > ClientCertificate, and an Authenticator is the ClientVerify. DH is > independent and can move to the earlier phase for TLS 1.3. > CON: Decision on client credential type must be made in ClientHello, when not > all data may be available (namely, the sequence of tickets leading to the > TLS-protected service). Also impacts the cert-type used in the ServerCert. What messages do you need to transfer for Kerberos? Is it only a ping-pong? In that case, do the supplemental data from RFC4680 provide a solution with PSK in TLS 1.2? regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
