- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Sat, 8 Mar 2014 17:04:37 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Mar 08, 2014 at 02:13:45PM +0000, Martin Thomson wrote: > On 8 March 2014 12:43, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > > > Some points: > > - If the client has other active streams there, away might not be > > apropirate. > > I don't know what you mean here. Say, website A is open in another tab, and it is using resources from website B (at worst a long download or websocket connection). And website B wants client to authenticate with client cert... In some cases, "clean" close might take days... And I would prefer other random websites not to use connections to other websites with extra ambient authority (nevermind that those requests should be flaggged). > > - The 401 www-authenticate header value might contain some information > > about acceptable client certificates (similarly to TLS > > CertificateRequest), so the client can pick apropriate cerificate > > before initiating new connection. > > Yes. That's probably "realm". But the intent is not to define how a > client might select an appropriate certificate. The > CertificateRequest contains some info too. I was thinking if the client could select the certificate before connecting again... This isn't the same as realm, but realm could be useful piece of information for the client to act upon and display... -Ilari
Received on Saturday, 8 March 2014 15:05:01 UTC