On Sat, Feb 04, 2023 at 07:25:31PM +0100, Achim Kraus wrote: > My interpretation of RFC5246, 7.4.6 Client Certificate > > https://www.rfc-editor.org/rfc/rfc5246.html#section-7.4.6 > > "If no suitable certificate is available, the client MUST send a > certificate message containing no certificates. That is, the > certificate_list structure has a length of zero." > > covers RFC7250 as well. That section doesn't say something about > the certificate type and so in my interpretation it applies general > to all certificate types, including RPK. > > So, even if RPK is negotiated for the client, the client complies > to RFC5246, 7.4.6 sending a empty list in order to indicate, that > "no suitable certificate is available".
Unfortunately, that would not work for the earlier OpenPGP certificate type (RFC6091), which does not use 0x000000 as its NAK (instead, it uses 0x01000000). Of course, I don't think anyone is using that type. Looking at TLS library I wrote, the TLS 1.2 parsing routines do interpret RPK certficate containing 0x000000 as refusal to authenticate. However, it does not actually support either TLS 1.2 client certificates, nor RPK client certificates, so that code can not actually be used. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
