RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 8446, "The Transport Layer Security (TLS) Protocol Version 1.3", August 2018

Source of RFC: tls (sec)

Errata ID: 6205
Status: Reported
Type: Editorial
Publication Format(s) : TEXT

Reported By: Martin Thomson
Date Reported: 2020-06-04

Section 4.3.2 says:

   Servers which are authenticating with a PSK MUST NOT send the
   CertificateRequest message in the main handshake, though they MAY
   send it in post-handshake authentication (see Section 4.6.2) provided
   that the client has sent the "post_handshake_auth" extension (see
   Section 4.2.6).

It should say:

   Servers which are authenticating with a resumption PSK MUST NOT send the
   CertificateRequest message in the main handshake, though they MAY
   send it in post-handshake authentication (see Section 4.6.2) provided
   that the client has sent the "post_handshake_auth" extension (see
   Section 4.2.6).  Servers which are authenticating with an external PSK
   MUST NOT send the CertificateRequest message either in the main handshake
   or request post-handshake authentication. Future specifications MAY
   provide an extension to permit this. 

Notes:

The lack of qualification on "authenticating with a PSK" implies that the statement applies equally to both external and resumption PSKs. However, there are two conditions being governed: whether a certificate can be requested during the handshake, and whether a certificate can be requested post-handshake. The latter of these requires different rules depending on the type of PSK.

We know from the analysis of resumption (see https://mailarchive.ietf.org/arch/msg/tls/TugB5ddJu3nYg7chcyeIyUqWSbA/) that combining a PSK handshake of either type with a client certificate is not safe. Thus, the prohibition on CertificateRequest during the handshake applies equally to both resumption and external PSKs.

For post-handshake, Appendix E.1 already discusses the risks of combining PSKs with certificates, citing the same analysis as above.

[...] It is unsafe to use certificate-based client
authentication when the client might potentially share the same
PSK/key-id pair with two different endpoints.

For this reason an external PSK is not safe to use with post-handshake authentication. A resumption PSK does not have this property, so the same prohibition doesn't apply.

Splitting the requirements as proposed makes this split clearer.

Report New Errata