Re: New Version Notification for draft-nottingham-http2-encryption-02.txt from Paul Hoffman on 2013-12-12 (ietf-http-wg@w3.org from October to December 2013)

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Thu, 12 Dec 2013 11:14:52 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAPik8yaTjfpW_QLgABBTDqcQsqK6mkwRoo-PYHsoEAyn8OQQ=g@mail.gmail.com>

On Wed, Dec 11, 2013 at 8:52 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
> One possible use is that the server may want/need to know whether or not
> the client is validating the cert; e.g., a bank.
>
>
1) In what scenarios that are similar to what we have today does a server
want/need to know that the client validated the cert? In your "a bank"
example, assume that the user removed the WhizzyCA root from the browser's
pile, the bank chains up to WhizzyCA, and the user clicked through the "do
you really want to do this" warning from his browser. How does that server
know that?

2) Are there other possible uses?

--Paul Hoffman

Received on Thursday, 12 December 2013 19:15:19 UTC