Re: Client Certificates - re-opening discussion

On Thu, Sep 17, 2015 at 06:10:49PM -0400, Mark Nottingham wrote:
> Hi,
> We've talked about client certificates in HTTP/2 (and elsewhere)
> for a while, but the discussion has stalled.
> If you have a proposal or thoughts that might become a proposal
> in this area, please brush it off and be prepared. Of course, we
> can discuss on-list in the meantime.

Basically, the ways I know one could do client certs in HTTP/2 have
both been floated before:

1) Signal about client cert being needed, client can establish
new connection for the authenticated stuff.

2) Do client cert at HTTP level, using the usual HTTP authentication
headers and TLS channel binding mechanisms[1] (but certificates
themselves require some special handling, due to size[2]).

[1] SPDY/3 did something like this, except with its own frame

[2] Bit crazy idea: PUT with .well-known resource.


Received on Friday, 18 September 2015 17:45:56 UTC