Hello Benjamin, > No, mutual authentication requires the client to receive a message from > the server.
Yes, I know -- the server needs to handle the session key or the subkey to prove posession of its KDC-stored service key. By using it, the client can be convinced or server identity. > This could be implicit I think it automatically is with TLS, since the Finished messages won't succeed until both parties have derived the same master secret, which if it involves the session key or subkey proves the server's identity in an implicit manner. I do believe a long-enough Finished message is required though. For the TLS_ECDHE_KRB_ CipherSuites I've proposed a verify_data_lenth to match the required certainty from the message; if we mix Kerberos client "certificates" info other CipherSuites like TLS_ECDHE_RSA_ then a client SHOULD negotiate a high-enough value and the server MUST support that. It requires TLS 1.2 to do these things. -Rick _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
