I agre with Ilari. Currently, the way to reject a request is more than just saying "no, thanks.".
On 10/12/2016 10:17 AM, Ilari Liusvaara wrote: > On Wed, Oct 12, 2016 at 03:10:54AM -0400, Daniel Kahn Gillmor wrote: >> >> I don't think it's too much to ask that implementations be able to >> reject a post-handshake CertificateRequest gracefully, even if they have >> no intention of ever implementing a proper Client Certificate response. > > Unfortunately, currently it is too much: > > One can't just send a message saying "NAK CertficiateRequest X", since > that message is followed by Finished message, that is quite annoying > to compute (even requires forkable hash, when nothing else requires > that, and if one is to be able to freeze connection, requires very > exotic features from hash implementation. > > > -Ilari >
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls