Re: Report on preliminary decision on TLS 1.3 and client auth

In message <>
, Martin Thomson writes:
>On 25 September 2015 at 03:14, Poul-Henning Kamp <> wrote:
>> What I tried to say above is that we don't know which cookie
>> identifies the session.
>What I neglected to mention earlier is that client certificate
>mechanism that was being added was viewed more as a necessary evil
>than an important feature.  No one liked having to do this, but as
>Mark pointed out, there are far more people relying on having the
>functionality than we previously thought.

I think in the current climate, we have a lot of lattitude for
doing things right, and telling people why they should migrate
to something safer, so we should seriously consider skipping
the workarounds and aim for something that will hold up well
under pressure.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Friday, 25 September 2015 17:20:52 UTC