Martin Rex <[email protected]> wrote: > Tony Finch wrote: > > Martin Rex <[email protected]> wrote: > > > > > > Or the server will have to be able to request from its TLS stack > > > that the TLS session is established without any certificate > > > path validation, and the app itself will have to sort out the > > > mess all by itself, from an unverified client cert chain emitted by > > > TLS. > > > But that will require a lot of messy cert processing details > > > in an apps spec, and may require changes to deployed TLS > > > implementations > > > before it can be used. > > > > These worries don't seem to cause significant problems in practice. > > http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf > > agreed, just a minor problem .... unless you care about security in any way.
That paper is about server certificate authentication not client certificate authentication, but it does rather reinforce your point about messy cert processing details. However one of the big problems with server authentication is poor support for name checking, which does not apply in the same way for client authentication. Servers can support optional client certificates with OpenSSL and GnuTLS and probably others. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
