> So it may be necessary to have the server respond with its own flag to > indicate that it really does want client cert auth and isn't just asking for > a client cert on autopilot. An "I really mean it" flag. We can add these for every TLS message, not just authentication-related ones. Just to make sure the peer truly is serious about the TLS handshake. 😊
-----Original Message----- From: TLS <tls-boun...@ietf.org> On Behalf Of Peter Gutmann Sent: Tuesday, October 24, 2023 12:55 AM To: tls@ietf.org Subject: Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni <ietf-d...@dukhovni.org> writes: >I don't see in your comment anything to suggest that the flag is a no-go. Oh, it's definitely not a no-go, just pointing out that you shouldn't read too much into seeing a cert request from a server. In other words if the client says "I have a cert" and the server responds "please authenticate using the cert", that doesn't mean that the server will actually expect client cert auth at that point. So it may be necessary to have the server respond with its own flag to indicate that it really does want client cert auth and isn't just asking for a client cert on autopilot. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
