On Tue, Oct 24, 2023 at 02:40:35AM +0000, Peter Gutmann wrote:
> >Yes, but, arguably, such broken clients won't be fixed by adding new
> >extensions/flags/etc. If they do not comply with the simple RFC language that
> >exists, can we expect them to implement the new flag correctly?
>
> I would argue that it's the server that's broken, not the client. An awful
> lot of (non-WWW) servers automatically request a client cert without anyone
> running the server being aware of it, or when asked, how to disable it. The
> clients then sleepwalk their way past it with a zero-length reply and things
> continue as normal with neither the server admin nor the client-side user
> being aware that certificate auth was requested and denied.
The breakage being, I assume, the pointless asking. I assume that you
wouldn't object to servers *conditionally* asking if:
- The client explicitly signalled willingness
- The server actually has a use for some client certs, but does
not always require them.
I don't see in your comment anything to suggest that the flag is a
no-go.
To David's point, I don't expect browsers to ever set it, at least not
without some advanced user configuration that almost nobody would set,
though you never know what "enterprise" customers will ask for...
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
