W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Report on preliminary decision on TLS 1.3 and client auth

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 20 Oct 2015 11:08:21 -0700
Message-ID: <CABkgnnWpxr1MfvMPWbYDtPkeoLSnONUhUhQiRC-RKB1V-U_MOQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 19 October 2015 at 23:24, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>
> How does client refuse to change authentication on existing connection
> and open a new one for new authentication[1]?

A client can always ignore attempts to renegotiate, or it can offer an
empty certificate in response to a CertificateRequest.  I think the
latter is cleaner.

Keep in mind that the client has signalled a willingness to
participate in this protocol.

> Because client can be rather easily forced into situation where the
> existing connection can't change authentication without resetting
> potentially numerious streams first (e.g. streams from cross-origin
> XMLHttpRequest/Fetch non-credentials[2][3]).

I'm sorry, I couldn't parse this statement.

> Or is the browser supposed to reset all offending streams before
> changing authentication?

What would make a particular stream offensive?
Received on Tuesday, 20 October 2015 18:08:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC