On Tue, Oct 24, 2023 at 04:11:53PM +0000, Andrei Popov wrote: > > At least as a client, you can't read anything into seeing a cert request > > from the server, it's just a standard part of the handshake, like a keyex > > or a finished. > > This is exactly my argument: when a client receives a cert request the > client cannot satisfy, the RFC says send an empty Certificate and > continue with the handshake...
Sadly, that's not what actually reliably happens in practice, or at least that was the case when I last looked. Perhaps all the guilty TLS stacks were fixed in the meantime? I am not well placed to determine how much "friction" remains. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls