In the currently available text, we read: "The Trusted CA Indication is contained in the ClientHello message. The "extension_data" field of this extension shall be empty".
In RFC 6066 it is instead foreseen the possibility that the client MAY use the “Trusted CA indication” to indicate which CA root keys it possesses by inserting in the “extension_data” field the struct "TrustedAuthorities".
The aforementioned text in 7.5.3 also appears to be a contradiction with respect to the following sentence in the same section "Implementations claiming conformance to this standard using this extension may specify the selection of the requested CA issued certificates on the TLS server side. "
Proposal
The sentence "The Trusted CA Indication is contained in the ClientHello message. The "extension_data" field of this extension shall be empty", should be changed with "The Trusted CA Indication is contained in the ClientHello message. The "extension_data" field of this extension shall not be empty".
Or, the part "The "extension_data" field of this extension shall not be empty" might be simply omitted.
The sentence "According to RFC 6066 in this event, the server shall include an extension of type "trusted_ca_keys" in the (extended) ServerHello message.", could be changed with "According to RFC 6066 in this event, the server shall include an extension of type "trusted_ca_keys" in the (extended) ServerHello message. The "extension_data" field of this extension shall be empty".
Discussion
Created
Status
To ensure intended functionality and interoperability the proposal has been integrated into section 7.5.3 as outlined in the attachment
08 Jan 25
Drafting Implementation
OK for me.
30 Sep 24
Discussion (red)
Proposal to update the second paragraph in clause 7.5.3 to:
"The Trusted CA Indication is contained in the ClientHello message. According to RFC 6066, the "extension_data" field of this extension shall contain a list of CA root key identifiers that the client possesses. A TLS server receiving a Trusted CA Indication may use this information to guide its selection of an appropriate certificate chain to return to the client. According to RFC 6066 in this event, the server shall include an extension of type "trusted_ca_keys" in the (extended) ServerHello message. The "extension_data" field of this extension shall be empty."
16 Sep 24
Discussion (red)
Good catch! The description was actually intended vice versa.
The proposal addresses this requiring the client to provide the actual list of supported trust anchors if the extension is supported. Likewise the processing for the server needs adaptation too.
Proposal to accept the proposed change as Accepted (Future Improvement).