W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: FYI: proposal for client authentication in TLS

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 11 Mar 2014 08:57:37 +0100
Message-ID: <531EC1F1.4090209@gmx.de>
To: Yoav Nir <ynir.ietf@gmail.com>
CC: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-03-11 08:52, Yoav Nir wrote:
> ...
> This creates a strange dependency between HTTP versions and TLS versions.
>
> HTTP/2 forbids renegotiation and TLS 1.3 doesn't have it. OK for a new
> server, new browser, and new TLS library.
>
> HTTP/1 servers that need client authentication will have to downgrade to
> TLS 1.2 so they can get renegotiation.
> HTTP servers that support both HTTP versions will need to have
> convoluted logic in the TLS stack that says that if the ALPN did not
> include http2 then the ServerHello has to cap the versions at TLS 1.2.
>
> I'd much rather this new authentication scheme was HTTP version
> independent.

Well, the scheme itself *is* version independent. It's "just" harder to 
deploy with 1.1.

Is there an *alternative*, given the HTTP/2 constraints?

Best regards, Julian
Received on Tuesday, 11 March 2014 07:58:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC