Re: Client requesting authentication on server & thomson-httpbis-catch from Mark Nottingham on 2014-03-21 (ietf-http-wg@w3.org from January to March 2014)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 21 Mar 2014 12:12:31 +1100
To: henry.story@bblfish.net
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>
Message-Id: <C2723A44-E086-4BDD-8157-7438E7110661@mnot.net>

On 20 Mar 2014, at 1:42 am, henry.story@bblfish.net wrote:

> So presumably here one could extend the current client "Authorization" header to 
> something like 
> 
>   Authorization: Certificate
> 
> So I see that new schemes can be registered at
> 
>   http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-26#section-5.1.2
>   https://www.ietf.org/rfc/rfc2617.txt
> 
> This does require server side TLS renegotiation to work, but that's where we are at
> present.

I think this makes the most sense, in that then you could send

Vary: Authorization

to indicate that the response varies based upon that header. Might be good to put a hash of the cert into the header...

Cheers,

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 21 March 2014 01:13:16 UTC