Re: Client certificates in HTTP/2

On 9 June 2015 at 15:26, Adrien de Croy <> wrote:
> so the proposal is to include some flag in all requests (but maybe not by
> some browsers) which can't be used by the server.

Sure it can be used.

> That doesn't seem like a good use of resource.

It's a few bytes.  We've wasted a lot more elsewhere for less worthy
reasons.  Not that I think this is a great idea, but I can appreciate
that Microsoft have to do *something*.  It's an existing use that
isn't well served.  I'd rather the option I proposed, but we're not
seeing a lot of movement on the client authentication piece.

Maybe when Microsoft produce a proposal for TLS 1.3, we'll be a better
position.  Maybe that will be possible when the TLS 1.3 key schedule
and handshake becomes stable (which should be very soon).

> Or is tongue firmly planted in cheek on this one?

Not this time.  I refer you to:

> Did you forget Chromium as well?

I never forget Chromium, or Safari, or Opera, or Yandex, or UC
browser...  I just don't know what they plan to do yet.  I think that
Chromium have disabled renegotiation, but I wasn't sure.

Received on Tuesday, 9 June 2015 22:41:26 UTC