Re: Report on preliminary decision on TLS 1.3 and client auth from Martin Thomson on 2015-10-20 (ietf-http-wg@w3.org from October to December 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 20 Oct 2015 11:08:21 -0700
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWpxr1MfvMPWbYDtPkeoLSnONUhUhQiRC-RKB1V-U_MOQ@mail.gmail.com>

On 19 October 2015 at 23:24, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>
> How does client refuse to change authentication on existing connection
> and open a new one for new authentication[1]?

A client can always ignore attempts to renegotiate, or it can offer an
empty certificate in response to a CertificateRequest.  I think the
latter is cleaner.

Keep in mind that the client has signalled a willingness to
participate in this protocol.

> Because client can be rather easily forced into situation where the
> existing connection can't change authentication without resetting
> potentially numerious streams first (e.g. streams from cross-origin
> XMLHttpRequest/Fetch non-credentials[2][3]).

I'm sorry, I couldn't parse this statement.

> Or is the browser supposed to reset all offending streams before
> changing authentication?

What would make a particular stream offensive?

Received on Tuesday, 20 October 2015 18:08:50 UTC