Re: Report on preliminary decision on TLS 1.3 and client auth

On Sat, Sep 26, 2015 at 11:01:44AM +0300, Ilari Liusvaara wrote:
> There is friction with HTTP/2 connection coalescing here:
> - "Global": If connection is for origins A and B, even if cert is
>   authorized for A, it might not be authorized for B.

Note, connection coalescing can only be performed by an entity
having access to the cert, simply because HTTP passes *over*
the authenticated TLS connection. Thus when it can happen
(eg: reverse proxy, or CDN), it's the equipement's cert that
will be presented to the server.

However we still need to make it possible and standard to pass
the client-auth information *inside* HTTP so that each stream
can carry the relevant information. That's what many SSL gateways
do by adding X-SSL-whatever headers right now, and which could be
much cleaner in HTTP/2.


Received on Saturday, 26 September 2015 09:15:28 UTC