Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Client Auth #209

Closed
wants to merge 1 commit into from
Closed

TLS Client Auth #209

wants to merge 1 commit into from

Conversation

Andrei-Popov
Copy link

@Andrei-Popov Andrei-Popov commented Jul 24, 2015

Based on the TLS1.3 client authentication discussion at the TLS WG meeting, this PR:

  1. Allows the server to send CertificateRequest at any time after the handshake is complete.
  2. Allows the server to narrow down the list of acceptable client certificates by optionally specifying a list of certificate extension OIDs with their allowed values.

martinthomson
martinthomson reviewed Jul 25, 2015
View changes
draft-ietf-tls-tls13.md
@@ -3103,6 +3135,11 @@ it in the "pre_shared_key" extension in its ClientHello
({{pre-shared-key-extension}}) and supplying a suitable PSK cipher
suite.

The server MAY also send a NewSessionTicket message after the handshake is
complete, following the client CertificateVerify message. This allows the
Copy link
Contributor

@martinthomson martinthomson Jul 25, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NewSessionTicket needs to follow the client's Finished. For one, the client's CertificateVerify won't appear in every exchange.

Copy link
Contributor

@ekr ekr Aug 18, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should at this point relax the rule and say you can generate a NewSessionTicket whenever.

Copy link
Author

@Andrei-Popov Andrei-Popov Aug 18, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I’d be fine with relaxing the rule.

From: ekr [mailto:notifications@github.com]
Sent: Tuesday, August 18, 2015 8:07 AM
To: tlswg/tls13-spec tls13-spec@noreply.github.com
Cc: Andrei Popov Andrei.Popov@microsoft.com
Subject: Re: [tls13-spec] TLS Client Auth (#209)

In draft-ietf-tls-tls13.mdhttps://github.com//pull/209#discussion_r37309486:

@@ -3103,6 +3135,11 @@ it in the "pre_shared_key" extension in its ClientHello

({{pre-shared-key-extension}}) and supplying a suitable PSK cipher

suite.

+The server MAY also send a NewSessionTicket message after the handshake is

+complete, following the client CertificateVerify message. This allows the

I think we should at this point relax the rule and say you can generate a NewSessionTicket whenever.


Reply to this email directly or view it on GitHubhttps://github.com//pull/209/files#r37309486.

@ekr
Copy link
Contributor

@ekr ekr commented Sep 22, 2015

Closed so we can split into two.

@ekr ekr closed this Sep 22, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Andrei-Popov @ekr @martinthomson @richsalz @davegarrett