Re: Client certificates in HTTP/2

On Tue, Jun 09, 2015 at 05:51:39PM +0000, Mike Bishop wrote:
> Martin's approach, along with the early-renegotiation dance in the
> HTTP/2 spec, still forces the creation of a new TLS connection,
> something we'd prefer to avoid.  It's better than HTTP_1_1_REQUIRED
> in that it lets the client keep using HTTP/2, but worse in that it
> mixes the TLS and HTTP layers, something we'd also prefer to minimize.

If one really wants to avoid new TLS connection creation in something
that could be actually secure, one would have to support SPDY-style
client certificate slots, presumably signaling which slot to use per
request in Authorization: header.

This is because changing connection authentication mid-connection is
asking for security problems (especially if client side is a browser),
even if no proxies are involved.

Of course, doing SPDY-style auth safely requires EMS or TLS 1.3+.


Received on Tuesday, 9 June 2015 18:49:20 UTC