tomato42
commented
3 years ago IIRC the consensus was that it was up to the protocol using TLS 1.3 to define how it should be handled and if multiple client identities are allowed
Closed emanjon closed 2 years ago
tomato42
commented
3 years ago IIRC the consensus was that it was up to the protocol using TLS 1.3 to define how it should be handled and if multiple client identities are allowed
kaduk
commented
2 years ago Given that we are admitting the possibility of the server authenticating as multiple identities, I would be reluctant to rule it out for the client. I don't have as clear a recollection as Hubert does, but leaving it to the consuming application seems likely to be the best we can really do, other than providing warnings about the semantics of multiple identities being hard to nail down.
ekr
commented
2 years ago That is my thought as well. I believe we should close this as wontfix.
ekr
commented
2 years ago Discussed in Vienna. Closed.
RFC 8446 makes it clear that the client can recieve any number of CertificateRequests but RFC 8446 does not say anyhting about identities when the client authenticates several times. RFC 8446 does not seem to forbid the server to accept authentication with completely different identities each time. Is this a feature or a bug?
I assume you could have a client first authenticate as a user and then as root, but this would mean that a connection is associated with several identities and not only "the identity" that RFC8446 and [Kraw16] talk about. Several identities also makes it hard to determine which identity a specific ticket belong to. RFC8446 states that data before authentication was sent/received by the identity that later authenticated.
"If the server at some point in the connection has considered the client authenticated with one identity, it MUST not consider the client authenticated with another identity."