- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Fri, 18 Sep 2015 20:45:30 +0300
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Sep 17, 2015 at 06:10:49PM -0400, Mark Nottingham wrote: > Hi, > > We've talked about client certificates in HTTP/2 (and elsewhere) > for a while, but the discussion has stalled. > > If you have a proposal or thoughts that might become a proposal > in this area, please brush it off and be prepared. Of course, we > can discuss on-list in the meantime. Basically, the ways I know one could do client certs in HTTP/2 have both been floated before: 1) Signal about client cert being needed, client can establish new connection for the authenticated stuff. 2) Do client cert at HTTP level, using the usual HTTP authentication headers and TLS channel binding mechanisms[1] (but certificates themselves require some special handling, due to size[2]). [1] SPDY/3 did something like this, except with its own frame types. [2] Bit crazy idea: PUT with .well-known resource. -Ilari
Received on Friday, 18 September 2015 17:45:56 UTC