I think if public key client ask is something that can signe things we
could just ask client to sign a jws with key in question:
we need something else for kemtls though, because they can't sign
anything but makeing new random shared session key
26. 3. 10. 17:37에 Ilari Liusvaara 이(가) 쓴 글:
On Mon, Mar 09, 2026 at 02:52:34PM -0700, Aaron Gable wrote:
I'm supportive of splitting the `pk` identifier type and the `pk-01`
challenge into a separate draft. I think there's a lot to discuss even with
a scope that small, including alternative challenge types like performing a
tls-alpn-01-style handshake using the keypair. I also freely admit that
this is the portion of the draft that I both care about (as someone who has
been promoting the idea of a pubkey identifier type for a while) and that I
actually understand.
I think that having the server send a nonce in challenge and client
returning TLS 1.3-compatible signature in challenge acknowledge would
be much simpler than messing with TLS handshakes.
-Ilari
_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]
