W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: FYI: proposal for client authentication in TLS

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 8 Mar 2014 14:13:45 +0000
Message-ID: <CABkgnnXR9Y9+PgLg5cP=qrs36pxc7DM9RXZ21-8wtYSdcUgNDw@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 8 March 2014 12:43, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> - Reference to RFC 5764 (which is some DTLS extension). Did you mean
>   RFC 6347 (DTLS 1.2)?

Yes.  I got my numbers mixed up.

> - "[...]need to authenticate can initial renegotiation, [...]".
>   That sounds odd, should it be "initial" or "initiate"?


> - Under what circumstances server ignores the extension even if it
>   is supported?

When it doesn't want to authenticate.  Maybe it's under DoS attack.
Who knows, that's their business.

> Some points:
> - If the client has other active streams there, away might not be
>   apropirate.

I don't know what you mean here.

> - The 401 www-authenticate header value might contain some information
>   about acceptable client certificates (similarly to TLS
>   CertificateRequest), so the client can pick apropriate cerificate
>   before initiating new connection.

Yes.  That's probably "realm".  But the intent is not to define how a
client might select an appropriate certificate.  The
CertificateRequest contains some info too.

> - The proper client certificate might have been issued by the server
>   or service provoder. Or even be self-signed[1].

As above.
Received on Saturday, 8 March 2014 14:14:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC