On Mon, Apr 24, 2017 at 8:42 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Hi Ilari, > > thanks for your feedback. Remarks inline: > > On 04/21/2017 12:52 PM, Ilari Liusvaara wrote: >> On Fri, Apr 21, 2017 at 10:44:01AM +0200, Hannes Tschofenig wrote: >>> I have read draft-sullivan-tls-exported-authenticator-01 and have a few >>> questions. I haven't followed this work previously but have been >>> wondering whether this functionality would be useful for "me". >>> >>> The described functionality sounds like post-handshake authentication >>> from TLS 1.3 (although it does not use that term throughout the >>> document). I would have thought that this functionality is a replacement >>> to the TLS 1.2 renegotiation but then there is also the TLS 1.3 content >>> in there which raises the question about how this relates to the >>> post-handshake authentication functionality. >> >> There are two things that can't be accomplished with PHA: >> >> - Authenticating the server for more identities. >> - Transmitting application context with the certificate. >> >> TLS 1.2 renegotiation also is incapable of either of those. > > > In what situations would I want those features? The draft is rather > brief on the motivational side.
Part of the reason TLS client certificate UX sucks is the absence of hints as to which certificates are offered. It's a lot easier to add that to HTTP then to TLS. It also fixes bugs where authentication state doesn't line up nicely with HTTP request state. The other application is to servers which want to indicate they have certificates for other sites, so as to enable connection reuse for a latency and performance win. > > >> >>> What does the following sentence mean and what is the use case for it? >>> >>> " >>> This proof of authentication can >>> be exported and transmitted out of band from one party to be >>> validated by the other party. >>> " >>> Who are the parties? >> >> Most probably TLS client and server. > > Maybe the draft should say that. > > Ciao > Hannes > >> >> >> -Ilari >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
