-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How does RFC 7250 (raw public keys) fit in? #722
Comments
Replaces the whole message. Them's the rules. |
7250 mentions ASN1Cert directly. It probably needs some clarification in this document to avoid confusion. |
OK, will fix. On Wed, Oct 19, 2016 at 7:45 PM, Martin Thomson notifications@github.com
|
We may actually need a 7250-bis. I'm going to leave this for now. |
This is still a problem. RFC 7250 is referenced in several places, but its use in TLS 1.3 is not well-defined. Section 2 of draft 18 says:
Certificate (section 4.4.1) is defined via:
If the whole Certificate is replaced as suggested by Section 2, then the In TLS 1.2 there is only one Certificate per handshake. In TLS 1.3 you can have multiple CertificateRequests and Certificate responses (in any order). Restricting the number of CertificateRequest/Certificate responses (or requiring the context to be the same) is one option, but may complicate the protocol/implementation. |
Note that RPK (RFC 7250) is not well-defined and is left untouched. tlswg/tls13-spec#722 Certificate extensions dissections remains a task for later. Change-Id: I62276e59db94429e4c09058aca3c08f390ec3af7 Ping-Bug: 12779
Note that RPK (RFC 7250) is not well-defined and is left untouched. tlswg/tls13-spec#722 Certificate extensions dissections remains a task for later. Change-Id: I62276e59db94429e4c09058aca3c08f390ec3af7 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/19864 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
Done |
Do we replace ASN1Cert, CertificateEntry, or the entirety of the Certificate message body with the SPKI?
The text was updated successfully, but these errors were encountered: