[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] TLS 1.3 and HKPS pool
From: |
Phil Pennock |
Subject: |
Re: [Sks-devel] TLS 1.3 and HKPS pool |
Date: |
Mon, 19 Mar 2018 17:24:07 -0400 |
On 2018-03-19 at 22:14 +0100, Kristian Fiskerstrand wrote:
> On 03/19/2018 10:08 PM, Phil Pennock wrote:
> > Do we care?
>
> I'm tempted to say no..
Another point in favor of that: I'd forgotten that TLS1.3 moves
certificate exchange to be protected by the session, so encrypted. Thus
I suspect that we won't have SNI available for choosing TLS versions and
ciphersuites until after TLS1.3 has already been negotiated.
I could do something like bring up another IPv6 address with a listening
server, but that would still need manual hacks in the pool-server
software to even know that IP address is worthy of consideration.
-Phil
signature.asc
Description: Digital signature