TLS and Usage of "trusted_ca_keys" by server
From: David C. Partridge (afb12_at_dial.pipex.com)
Date: 07/03/03
- Next message: Anton Stiglic: "Re: HMAC -NMAC security"
- Previous message: Tom St Denis: "Re: Performance tests of some AES implementations in C"
- Next in thread: Henrick Hellström: "Re: TLS and Usage of "trusted_ca_keys" by server"
- Reply: Henrick Hellström: "Re: TLS and Usage of "trusted_ca_keys" by server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jul 2003 14:23:04 +0100
In rfc3446, section 3.4 says that a constrained client may send an extension
of type "trusted_ca_keys" to the server to indicate the CAs that it knows
about.
This allows the server to implicitly select a private key and matching
certificate chain that the client can support.
Does this specification preclude the server from using the same technique to
indicate to the client which CAs it is prepared to support, thus allowing
the client to select an appropriate key pair and certificate? The specific
reason I'm asking is that the rfc says at the end of section 3.4:
----- QUOTE -----
Servers that receive a client hello containing the "trusted_ca_keys"
extension, MAY use the information contained in the extension to
guide their selection of an appropriate certificate chain to return
to the client. In this event, the server SHALL include an extension
of type "trusted_ca_keys" in the (extended) server hello.
The "extension_data" field of this extension SHALL be empty.
----- END QUOTE -----
and this would seem to preclude such a possibility
- Next message: Anton Stiglic: "Re: HMAC -NMAC security"
- Previous message: Tom St Denis: "Re: Performance tests of some AES implementations in C"
- Next in thread: Henrick Hellström: "Re: TLS and Usage of "trusted_ca_keys" by server"
- Reply: Henrick Hellström: "Re: TLS and Usage of "trusted_ca_keys" by server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
