Re: [TLS] Asking the browser for a different certificate
Marsh Ray <marsh@extendedsubset.com> Mon, 29 March 2010 20:01 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B7613A689A for <tls@core3.amsl.com>; Mon, 29 Mar 2010 13:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.055
X-Spam-Level:
X-Spam-Status: No, score=0.055 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydfG49QHpe6y for <tls@core3.amsl.com>; Mon, 29 Mar 2010 13:01:52 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id DA6D73A680F for <tls@ietf.org>; Mon, 29 Mar 2010 13:01:51 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NwLAA-000CpI-VQ; Mon, 29 Mar 2010 20:02:19 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id E450E60B8; Mon, 29 Mar 2010 20:02:17 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+M0B6080YI4hj5Rhg7z7EjJirB/+zBUPQ=
Message-ID: <4BB10749.7050100@extendedsubset.com>
Date: Mon, 29 Mar 2010 15:02:17 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Kyle Hamilton <aerowolf@gmail.com>, "tls@ietf.org" <tls@ietf.org>
References: <4BAE396B.9090104@extendedsubset.com> <201003291745.o2THjKgr017986@fs4113.wdf.sap.corp> <6b9359641003291236t4e7bd0c6ycc5c5a435f38f3cf@mail.gmail.com>
In-Reply-To: <6b9359641003291236t4e7bd0c6ycc5c5a435f38f3cf@mail.gmail.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2010 20:01:53 -0000
On 3/29/2010 2:36 PM, Kyle Hamilton wrote: > Of course, requiring the client to identify itself before proceeding > with a handshake... that's something I wish that TLS provided for. That should be supported by the TLS protocol, although you will need the TLS library to call back into your code to give you a chance to abort the handshake. Nothing prevents you from defining an application protocol which assigns the roles of TLS client and TLS server opposite from the underlying transport layer. E.g., client makes a TCP connection to server, then the TCP server sends a Client Hello to the TCP client. Once that connection was established you could renegotiate to get mutual authentication. You might have the client send a little initial hint if you want session resumption to work in the usual direction. That's not part of TLS, but it's not much different than using starttls in the middle of some other protocol. - Marsh
- Re: [TLS] Asking the browser for a different cert… Story Henry
- [TLS] Asking the browser for a different certific… Story Henry
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Wan-Teh Chang
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Michael D'Errico
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Dale Gustafson
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Bruno Harbulot
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray