On Tue, Oct 24, 2023 at 04:13:48PM +0000, Andrei Popov wrote: > > So it may be necessary to have the server respond with its own flag > > to indicate that it really does want client cert auth and isn't just > > asking for a client cert on autopilot. > > An "I really mean it" flag. We can add these for every TLS message, > not just authentication-related ones. Just to make sure the peer truly > is serious about the TLS handshake.
I hope Peter wasn't entirely serious... If the client offers and the server asks, there's nothing to be gained from yet another extension, the server operators who unwittingly enabled (or left defaults unchanged) server requests for client auth, will similarly unwitingly enable the new flag. The proposed "I'm a bot with a cert, please ask me for my bot driver's license", flag could I think be helpful to server operator who want to request certs from just that population of bots. This isn't a burning issue however, just a nice to have. We've somehow gotten by without it so far, and indeed if all clients that had no a priori reason to volunteer a cert, simply ignored all requests, the flag would not be needed. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls