> ----- Original Message ----- >>> Hello, >>> 3) Similar to OpenPGP: Negotiate cert-type >>> >>> There is a cert-type for X.509 and for OpenPGP; add one for Kerberos >>> Tickets. >>> PRO: Good integration with TLS: Tickets are transported in the >>> ClientCertificate, and an Authenticator is the ClientVerify. DH is >>> independent and can move to the earlier phase for TLS 1.3. >>> CON: Decision on client credential type must be made in ClientHello, when >>> not >>> all data may be available (namely, the sequence of tickets leading to the >>> TLS-protected service). Also impacts the cert-type used in the ServerCert. >> >> What messages do you need to transfer for Kerberos? Is it only a ping-pong? >> In that >> case, do the supplemental data from RFC4680 provide a solution with PSK in >> TLS 1.2? >>
> 4680 says "[a]ny such data MUST NOT need to be processed by the TLS > protocol.", which seems to disqualify it from applicability here. That's interesting and open to interpretation, but I don't think it is applicable. If you simply use it to derive a key for PSK, it is equivalent to reading a key from a password file using the username provided. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
