https://github.com/tlswg/tls13-spec/pull/950 Target merge date: Tuesday
I have just posted PR#950, which recommends that servers generate unpredictable context values for CertificateRequest in post-handshake client authentication. This prevents attacks in which an attacker who has temporary access to the client's private key can forge valid CertificateVerify messages. Note that this is not an enormously large improvement because an attacker who has temporary access the private key can do a bunch of other stuff, like forging a complete handshake message, but I can imagine some artificial scenarios where it might be useful, for instance if the user's private key is an HSM and so the attacker has permanent control of the user's machine but can't get him to generate an arbitrary number of private key operations without detection. Unless I have missed something, this seems like harmless advice, so I tend to think we should add it. Comments welcome -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
