On Tue, Oct 24, 2023 at 04:13:48PM +0000, Andrei Popov wrote:
> > So it may be necessary to have the server respond with its own flag
> > to indicate that it really does want client cert auth and isn't just
> > asking for a client cert on autopilot.
>
> An "I really mean it" flag. We can add these for every TLS message,
> not just authentication-related ones. Just to make sure the peer truly
> is serious about the TLS handshake.
I hope Peter wasn't entirely serious... If the client offers and the
server asks, there's nothing to be gained from yet another extension,
the server operators who unwittingly enabled (or left defaults
unchanged) server requests for client auth, will similarly unwitingly
enable the new flag.
The proposed "I'm a bot with a cert, please ask me for my bot driver's
license", flag could I think be helpful to server operator who want
to request certs from just that population of bots.
This isn't a burning issue however, just a nice to have. We've somehow
gotten by without it so far, and indeed if all clients that had no
a priori reason to volunteer a cert, simply ignored all requests, the
flag would not be needed.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
