- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 21 Sep 2015 17:25:50 +0100
- To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 17/09/15 23:10, Mark Nottingham wrote: > Hi, > > We've talked about client certificates in HTTP/2 (and elsewhere) for > a while, but the discussion has stalled. > > I've heard from numerous places that this is causing Pain. So, I'd > like to devote a chunk of our time in Yokohama to discussing this. > > If you have a proposal or thoughts that might become a proposal in > this area, please brush it off and be prepared. Of course, we can > discuss on-list in the meantime. As an occasional developer, I'm not fussed about how HTTPS with client certificate based authentication works, but I have made use of this in various server-server use-cases. It's really handy to be able to e.g. setup a new virtual host and to be able use or test that via curl. I suspect I'm not alone in having done that and don't recall seeing it mentioned in this thread. (Apologies if I'm repeating stuff.) While I could probably do all I need to without HTTP, it's easier and I get more code/tool re-use to use client certificates. (Note, for all cases I care about myself I can roll a new CA and certify all the parties so I have no dependency on a 3rd party PKI like the WebPKI.) And while continuing to use HTTP/1.1 would be just fine for me, I'd prefer to use standard configurations for tools, which means at some point wanting this feature for HTTP/2 as well. Cheers, S. PS: In case it's not clear, the above is wearing no IETF-hat:-) > > Cheers, > > -- Mark Nottingham https://www.mnot.net/ > > > > > >
Received on Monday, 21 September 2015 16:26:24 UTC