- From: Jason Greene <jason.greene@redhat.com>
- Date: Mon, 21 Sep 2015 12:51:30 -0500
- To: Mike Belshe <mike@belshe.com>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <8A87F40B-DD3B-4274-A692-4C87F364C3D4@redhat.com>
> On Sep 21, 2015, at 10:22 AM, Mike Belshe <mike@belshe.com> wrote: > > > > On Fri, Sep 18, 2015 at 11:31 AM, Mike Bishop <Michael.Bishop@microsoft.com <mailto:Michael.Bishop@microsoft.com>> wrote: > We have historically had cases where customers were either legally mandated to use client certificate authentication specifically, or more generally had an IT requirement to use two-factor authentication to access enterprise resources. I’ll research the details of some of these, and see whether I can share some details to frame this conversation in Yokohama. Internally, we use it regularly – the certificate lives on a smartcard, the TPM, or was simply issued to the machine when it enrolled for device management. > > > > For us, at least, the “pain” is that we can’t support a legal requirement without falling back to HTTP/1.1 and generating even more round-trips. Our HTTP/2 investments don’t apply as soon as we’re talking to the auth server. > > > Thanks, this sounds about right. The usability of browser-based client-auth was so awful, that unless "mandated" by some law, no real user or website would use it :-) If anyone on this thread hasn't tried client auth, you should, and then imagine turning that on for any real website. Hmm I always thought it was fairly straight-forward. Although the thing is, the major use-case for client certs is provisioned authorized equipment. So the end-user of the browser typically doesn’t interact with it at all. > > I hope the legal requirement doesn't require that client auth be done in the HTTP protocol layer, just that the certificate based auth be done. My own opinion is that HTTP/1.1/TLS's client auth was a mistake, and my evidence is the usability of both client-auth and basic-auth authentication schemes at the protocol layer. Neither is used in significant amounts. The latter was definitely moved by millions of websites into the application layer, and I see no reason why browsers shouldn't offer support for client-auth like primitives which will help customers move certificate-based client auth up a level too. How does this help the usability of the browser? It seems to me that however you do it, the overall management of client certificates in the browser is roughly the same. You have to have a mapping of site to cert stored somewhere. -Jason
Received on Monday, 21 September 2015 17:51:59 UTC