Hi, > I think there is at least another issue that still needs to be > discussed: how to properly handle post-handshake handshake messages. > > The subject has also been raised several times on GitHub > (https://github.com/tlswg/tls13-spec/pull/680, > https://github.com/tlswg/tls13-spec/pull/676, > https://github.com/tlswg/tls13-spec/issues/572) and on the mailing list > (https://www.ietf.org/mail-archive/web/tls/current/msg22038.html). > > Bottom line is: > - handling client late authentication requires a lot of state in the > client stack > - currently, handling client late authentication is mandatory
[...] > Thus, I believe the current text is inadequate. Different solutions are > possible : > - remove client late authentication entirely (this would have my > preference, since it introduces other issues*) > - make client late authentication optional (compatible clients would > signal it as an extension) > - rethink the client late authentication, as was done with KeyUpdate, > to limit the state required on the client side. Martin Thomson proposed a PR (thank you) corresponding to the second point, using a simple extension in the ClientHello : https://github.com/tlswg/tls13-spec/pull/921/ I believe this proposal is a good trade-off allowing simpler implementation designs when late client authentication is not needed. Best regards, Olivier Levillain _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls