Dear TLS Working Group,
I am writing to bring to your attention a potential security concern regarding the exchange of client certificates during the TLS handshake process. While the use of client certificates for authentication is a useful security measure, it also presents a risk in terms of exposing sensitive information contained within the certificate. Currently, TLS requires the exchange of the DER-encoded client certificate as part of the initial handshake process. This means that information such as the client's name, email address, and other identifying details are transmitted in cleartext, potentially allowing for interception and exploitation by malicious actors. I propose that a solution to this issue would be to separate the exchange of client certificates from the initial handshake process, and instead require the client to present their certificate only after the secure channel has been established. This would allow for mutual authentication without exposing sensitive information to potential interception. I urge you to consider this proposal and take action to address this potential security vulnerability. Thank you for your attention to this matter. Sincerely, Yannick LaRue SSE Carte à Puce Inc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
