On 06.02.26 23:46, Eric Rescorla wrote:
it's just that you wouldn't need to invent a new HTTP-level indicator for the client auth case.[Apologies for unfamiliarity with HTTP layer] Is it something really very useful in practice not to inventĀ such an indicator? or in other words, is inventing it really costly to be avoided?
Once the server has committed to algorithm X it needs to maintain algorithm X for the validity period, even if it also supports algorithm Y.Is the commitment per connection or per client? Could you explain how does one infer that?It's supposed to be per client, but, as you suggest here, the server doesn't necessarily know the client's identity.
So if it's per client, is it correct to conclude that the proposed mechanism is only useful for TLS /with/ /client authentication/?
If so, then we circle back to the point that client authentication typically requires HTTP support.
I don't have a good example to hand, but TLS is a very commonly used protocol, so I was just being cautious.
Sure, thanks. -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
