On Tue, Nov 01, 2016 at 04:41:44AM -0400, William Whyte wrote: > I'm confused by the line "These messages are not encrypted", because on a > plain reading it could mean that the authenticator is sent outside the > encrypted TLS session. That would be bad because it would mean that clients > that wanted to authenticate themselves but to the server only wouldn't be > able to use this mechanism. I assume that's not the intent? If that isn't > the intent, suggest rephrasing as "These messages are not encrypted, other > than the encryption provided on transmission by the TLS session".
What I think it means that the authenticator is not encrypted before handing it to the application for transport (most probably ultimately ending inside the TLS connection itself, which does encrypt it on the wire). Also, the message emitted is formatted as follows, right? - Byte 0x0B (CERTIFICATE code) - 3-byte length of Certificate message - Standard TLS 1.3 Certificate message payload - Byte 0x0F (CERTIFICATE_VERIFY code) - 3-byte length of CertificateVerify message - Standard TLS 1.3 CertificateVerify message payload - Byte 0x14 (FINISHED code) - 3-byte length of Finished message - Standard TLS 1.3 Finished message payload -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
