Viktor Dukhovni <ietf-d...@dukhovni.org> writes:
>I think what you're really saying, is that it may be time replace the extant
>client certificate request message with a completely new one, because the old
>one is ossified.
No, just have the server echo back the cert-auth flag from the client to
indicate that it really wants to do this.
Either that or mention in the RFC that some servers will send a cert request
no matter what, so getting a cert request in response to an mTLS flag [*]
doesn't necessarily mean that the server is expecting cert auth. Adding the
note at least makes it Someone Else's Problem.
Peter.
[*] Why is it called mTLS? It's just TLS, mTLS doesn't add anything new that
hasn't been in there for decades.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
