- From: Kyle Rose <krose@krose.org>
- Date: Thu, 22 Oct 2015 19:43:28 -0400
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Thursday, 22 October 2015 23:43:58 UTC
> I wouldn't interpret this as a defense of the client certificate UX in > browsers. But I don't expect that to change significantly, our UX > people have a lot of work to do, most of it much more important than > this. > I wasn't even actually talking about the browser UI (though I guess I would like Firefox to actually "remember this decision" for client certificates, which it doesn't seem to do even when I check that box). I'm more talking about the UX suggested by your first paragraph, in which the server accepts the handshake and provides a better error. Given the solutions proposed to the client authentication problem, I suspect that's what we'll end up doing, bugs in application authorization logic be damned. Using client certs as a firewall for permission-to-talk does seem like a hack: having a simple TCB up to the point of client authentication seems like a better solution all around. Tl;dr: don't interpret my previous email as a defense of that use case. Kyle
Received on Thursday, 22 October 2015 23:43:58 UTC