- From: James <james.ietf@gmail.com>
- Date: Wed, 22 Apr 2020 13:56:34 +0100
- To: Graham Leggett <minfrin@sharp.fm>, Brian Campbell <bcampbell@pingidentity.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 21/04/2020 23:17, Graham Leggett wrote: > Having read the draft, one thing I would suggest is that the ability > exists for the contents of the Client-Cert header to be signed, so that > anyone who cares can verify that the header came from where it said it > came from ... (I wouldn’t make this a MUST requirement, but maybe > RECOMMENDED perhaps). +1 for it not being a MUST as I think that signing the header should only be RECOMMENDED or SHOULD be present when the TRRP to Origin connection is NOT using TLS itself. Perhaps this could be offered as a separate header itself. The draft appears to focus around no TLS being used from TRRP to Origin, I have uses cases where it exists - such as a publicly trusted CA used on the TRRP's server certificate, but an internal CA used to the Origin. - J
Received on Wednesday, 22 April 2020 13:54:11 UTC