On Thu, Jun 4, 2020 at 9:24 AM Russ Housley <hous...@vigilsec.com> wrote:
> Eric: > > On Wed, Jun 3, 2020 at 6:07 PM Martin Thomson <m...@lowentropy.net> wrote: >> >>> I think that this is a useful erratum and it should be approved/HFDU. >>> The extension to which this text alludes is RFC 8773, not >>> post_handshake_auth. >>> >> >> Yes, although 8773 actually is not super-clear about post-handshake, so >> that's actually something we should clarify there. >> >> >> RFC 8773 is not intended for post handshake. So, I never thought about >> that. What is the use case you are considering? >> > > I don't have one. I'm just trying to make sure things are clear. perhaps > an erratum on 8773 to make ultra clear? > > > I do not find it unclear. > I am looking at 5.2 which seems like it could be more precise. > What do you have in mind? > Changing: TLS 1.3 does not permit the server to send a CertificateRequest message when a PSK is being used. This restriction is removed when the "tls_cert_with_extern_psk" extension is negotiated, allowing certificate-based authentication for both the client and the server. To: TLS 1.3 does not permit the server to send a CertificateRequest message when a PSK is being used. This restriction is removed when the "tls_cert_with_extern_psk" extension is negotiated, allowing certificate-based authentication for both the client and the server. To: TLS 1.3 does not permit the server to send a CertificateRequest message when a PSK is being used. This restriction is removed when the "tls_cert_with_extern_psk" extension is negotiated, allowing certificate-based authentication for both the client and the server. To: TLS 1.3 does not permit the server to send a CertificateRequest message when a PSK is being used. This restriction is removed for the main handshake when the "tls_cert_with_extern_psk" extension is negotiated, allowing certificate-based authentication for both the client and the server. This extension has no impact on external PSK usage with post-handshake authentication, which is prohibited by TLS 1.3. -Ekr Russ > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls