On Fri, Jun 5, 2020, at 03:54, Russ Housley wrote: > > On Jun 4, 2020, at 12:37 PM, Eric Rescorla <e...@rtfm.com> wrote: > > Changing: > > TLS 1.3 does not permit the server to send a CertificateRequest > > message when a PSK is being used. This restriction is removed when > > the "tls_cert_with_extern_psk" extension is negotiated, allowing > > certificate-based authentication for both the client and the > > server. To: TLS 1.3 does not permit the server to send a > > CertificateRequest message when a PSK is being used. This restriction > > is removed when the "tls_cert_with_extern_psk" extension is > > negotiated, allowing certificate-based authentication for both the > > client and the server. > > > > To: > > TLS 1.3 does not permit the server to send a CertificateRequest > > message when a PSK is being used. This restriction is removed when > > the "tls_cert_with_extern_psk" extension is negotiated, allowing > > certificate-based authentication for both the client and the > > server. To: TLS 1.3 does not permit the server to send a > > CertificateRequest message when a PSK is being used. This > > restriction is removed for the main handshake when the > > "tls_cert_with_extern_psk" extension is negotiated, allowing > > certificate-based authentication for both the client and the > > server. This extension has no impact on external PSK usage > > with post-handshake authentication, which is prohibited by > > TLS 1.3.
I see four copies of nearly the same text here, I just want to confirm that it is this last one that we are talking about: > TLS 1.3 does not permit the server to send a CertificateRequest message when > a PSK is being used. This restriction is removed for the main handshake when > the "tls_cert_with_extern_psk" extension is negotiated, allowing > certificate-based authentication for both the client and the server. This > extension has no impact on external PSK usage with post-handshake > authentication, which is prohibited by TLS 1.3. > This works for me. I wonder if "initial handshake" would be better than > "main handshake" "initial" or "main" both add confusion here, I would strike the qualification. In TLS, there is only one handshake. If you want to talk about use of a resumption PSK in this context, then maybe add another sentence that highlights the fact that a resumption PSK that is created from a connection that uses "tls_cert_with_extern_psk" can be used, but the resulting handshake cannot involve a CertificateRequest, though a post-handshake CertificateRequest is permitted. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls