W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: FYI: proposal for client authentication in TLS

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Sat, 8 Mar 2014 17:04:37 +0200
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140308150437.GA18407@LK-Perkele-VII>
On Sat, Mar 08, 2014 at 02:13:45PM +0000, Martin Thomson wrote:
> On 8 March 2014 12:43, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> 
> > Some points:
> > - If the client has other active streams there, away might not be
> >   apropirate.
> 
> I don't know what you mean here.

Say, website A is open in another tab, and it is using resources from
website B (at worst a long download or websocket connection). And
website B wants client to authenticate with client cert...

In some cases, "clean" close might take days...

And I would prefer other random websites not to use connections to
other websites with extra ambient authority (nevermind that those requests
should be flaggged).

> > - The 401 www-authenticate header value might contain some information
> >   about acceptable client certificates (similarly to TLS
> >   CertificateRequest), so the client can pick apropriate cerificate
> >   before initiating new connection.
> 
> Yes.  That's probably "realm".  But the intent is not to define how a
> client might select an appropriate certificate.  The
> CertificateRequest contains some info too.

I was thinking if the client could select the certificate before
connecting again...

This isn't the same as realm, but realm could be useful piece of
information for the client to act upon and display...


-Ilari
Received on Saturday, 8 March 2014 15:05:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC