- From: Mike Bishop <mbishop@evequefou.be>
- Date: Mon, 13 Nov 2017 16:37:18 +0000
- To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>, Nick Sullivan <nicholas.sullivan@gmail.com>
- CC: Kazuho Oku <kazuhooku@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
It might also be an option to remove AUTOMATIC_USE; clients that want a certificate applied to all requests generate the extra frame for each stream, but that's fairly small overhead. I think for legacy reasons, it makes sense to restrict sending USE_CERTIFICATE 0-1 times *unless* the server sends multiple CERTIFICATE_REQUIRED messages. This support was added to parallel TLS 1.3, which permits multiple simultaneous demands for (presumably different) certificates. -----Original Message----- From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com] Sent: Monday, November 13, 2017 7:05 PM To: Nick Sullivan <nicholas.sullivan@gmail.com> Cc: Kazuho Oku <kazuhooku@gmail.com>; Mike Bishop <mbishop@evequefou.be>; HTTP Working Group <ietf-http-wg@w3.org> Subject: Re: FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-05.txt On Mon, Nov 13, 2017 at 09:29:19AM +0000, Nick Sullivan wrote: > Hi Kazuho, > > Thanks for this. I think you found an issue that we did not consider: > the fact that server support for setting AUTOMATIC_USE in client > certificates may not be desirable for all servers. The CGI case you > describe would work find as long as the client doesn't use AUTOMATIC_USE. I think it is more multiple certificates that causes problems here than AUTOMATIC_USE. (AUTOMATIC_USE has its problems, but those seem to be mostly related to the server becoming confused about what the client actually meant). -Ilari
Received on Monday, 13 November 2017 16:37:46 UTC