On 5/9/21 9:13 AM, Mohit Sahni wrote:> RFC6962 only talks about support of CT to verify the server> certificates, however while working on zero trust services that> require MTLS for each connection, I realized that enabling CT for> client certificates can make the TLS handshakes with Mutual TLS more> secure. (I don't want to go into details of how CT can make it more> secure as those benefits are already mentioned in RFC6962). Both approaches seem reasonable/obvious, although the OCSP-based one seems to have a few potential issues (both around stapling and around spotty implementation of the use of OCSP for client cert status checking). But I have to say, the core problem this proposal faces would seem to be lack of demand on the part of folks who consume client certificates. In the seven years that trans has been up and running this has received nearly no discussion, even in passing, and if I recall correctly, no drafts and no agenda time in meetings.
Melinda -- Melinda Shore melinda.sh...@nomountain.net Software longa, hardware brevis _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
