W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Report on preliminary decision on TLS 1.3 and client auth

From: Kyle Rose <krose@krose.org>
Date: Thu, 22 Oct 2015 19:43:28 -0400
Message-ID: <CAJU8_nX_jV7b--p3+=cqW-m7N5po0OtzmHBALPJuQnayM9YDDA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
> I wouldn't interpret this as a defense of the client certificate UX in
> browsers.  But I don't expect that to change significantly, our UX
> people have a lot of work to do, most of it much more important than
> this.

I wasn't even actually talking about the browser UI (though I guess I would
like Firefox to actually "remember this decision" for client certificates,
which it doesn't seem to do even when I check that box). I'm more talking
about the UX suggested by your first paragraph, in which the server accepts
the handshake and provides a better error. Given the solutions proposed to
the client authentication problem, I suspect that's what we'll end up
doing, bugs in application authorization logic be damned. Using client
certs as a firewall for permission-to-talk does seem like a hack: having a
simple TCB up to the point of client authentication seems like a better
solution all around.

Tl;dr: don't interpret my previous email as a defense of that use case.

Received on Thursday, 22 October 2015 23:43:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC