AS Viktor noted in a separate e-mail TLS 1.3 already encrypts the client certificate.
-Ekr On Sun, Mar 26, 2023 at 4:00 PM Yannick LaRue <YannickL= 40smartcardsecurity...@dmarc.ietf.org> wrote: > Dear TLS Working Group, > > > > I am writing to propose a new method for enhancing the security of mutual > authentication in TLS. The current TLS protocol requires the exchange of > client and server certificates in cleartext during the initial handshake, > which exposes sensitive client information to potential man-in-the-middle > attacks. In order to address this vulnerability, I propose implementing a > second handshake that requests the client certificate only after the secure > channel has been established. > > > > Under this method, if the client chooses to engage in mutual > authentication and sends their certificate, the security can be > renegotiated using the client certificate instead of the server > certificate. This would provide an additional layer of security, as any > attacker intercepting the exchange would not be able to discern how the new > secure channel was negotiated. > > > > I believe this proposed method would be compatible with TLS 1.4, without > disrupting backward compatibility with earlier versions such as TLS 1.3. As > mutual authentication implies a desire for stronger security, any potential > increase in overhead or processing required by this method would likely be > acceptable to users. > > > > Moreover, this proposal would also be in line with GDPR requirements, as > it would reduce the amount of client information exchanged during the > initial handshake and offer more control over personal data. > > > > Thank you for considering my proposal. I would be happy to discuss this > idea further or provide additional details as needed. > > > > Best regards, > > > > Yannick LaRue > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
