[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SECMECH] Re: Identity Protection in EAP-TLS

Hi Simon,

Simon Josefsson a écrit: 
How would your approach compare to using TLS-PSK to set up a TLS
connection, and then within that TLS session, re-handshake with client
certificates?  The client certificates would then be encrypted.

The document assumes that there is no PSK shared between the client and the server. Thus, there is no way to encrypt the certificate unless we key derived from the premaster secret (per-session key).

We already published a document (EAP-Double-TLS) which runs like your approch: establishing a TLS shared secret Handshake to set up a protected connection and therefore an Handshake with certificate exchange.

/Simon 

Best regards
Badra



_______________________________________________
SECMECH mailing list
SECMECH at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech