On Tue, Jul 12, 2016 at 10:29:29PM +0300, Ilari Liusvaara wrote: > By the time CertificateRequest is sent, the server knows the final > protocol, so it can omit algorithms it knows it can't handle. Also, > the client picks the actual algorithm, so it too can avoid algorithms > it can't handle. So client auth isn't the interop hazard server auth > is.
There actually are TLS stacks in dev that have TLS 1.2 client authentication on will-not-implement-list (for reasons totally unrelated to "message-based signatures") but are willing to consider or implement TLS 1.3 client authentication (these are done by authors who actually care about security[1], and know just how dangerous "crap" is). (Oh, at least two of those have backend signature APIs that actually are message-based for all signatures). [1] To the point of willfully ignoring "MUST" or "MUST NOT" requirements that conflict on security. E.g. unsafe MTIs won't be implemented. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls