Karthikeyan Bhargavan wrote: > > Yes Hugo, you?re right that when there is no client auth, > the situation is less problematic.
I'm not so sure. There might be the desire of the server to keep some data confidential, and your argument is that if the data wasn't confidential to begin with, the server is not "breaking" confidentiality--although the server is clearly doing this. But what about the client and the client's desire to keep confidential, which particular "public data" it is just requesting and receiving from the server. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
