- From: Kyle Rose <krose@krose.org>
- Date: Mon, 21 Sep 2015 10:28:13 -0400
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- Cc: Yoav Nir <ynir.ietf@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Eric Rescorla <ekr@rtfm.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
>> The difference is that now the sane design is mandatory, else you get unpredictable results. A sane design works with renegotiation, #209 and HTTP-layer authentication > > Not even then. Client may reuse connections on matching certs. There are installations out there that have a cert for +3 domain names, lets say A, B and C. A has anonymous access, B and C both require different client certs. Depending on which tab the browser load first, the one or the other cert gets loaded in, leading the other site to fail since the cert is not accepted. Yeah, this is a huge issue that doesn't appear in HTTP/1.1. It sounds to me like the real problem is trying to shoehorn application-layer client authentication into the transport layer. Kyle
Received on Monday, 21 September 2015 14:28:42 UTC