I agre with Ilari. Currently, the way to reject a request is more than
just saying "no, thanks.".

On 10/12/2016 10:17 AM, Ilari Liusvaara wrote:
> On Wed, Oct 12, 2016 at 03:10:54AM -0400, Daniel Kahn Gillmor wrote:
>> I don't think it's too much to ask that implementations be able to
>> reject a post-handshake CertificateRequest gracefully, even if they have
>> no intention of ever implementing a proper Client Certificate response.
> Unfortunately, currently it is too much:
> One can't just send a message saying "NAK CertficiateRequest X", since
> that message is followed by Finished message, that is quite annoying
> to compute (even requires forkable hash, when nothing else requires
> that, and if one is to be able to freeze connection, requires very
> exotic features from hash implementation.
> -Ilari

Attachment: signature.asc
Description: OpenPGP digital signature

TLS mailing list

Reply via email to