Re: Roman Danyliw's No Objection on draft-ietf-httpbis-client-cert-field-05: (with COMMENT)

On Wed, Mar 15, 2023 at 3:30 PM Roman Danyliw via Datatracker <
noreply@ietf.org> wrote:

> Roman Danyliw has entered the following ballot position for
> draft-ietf-httpbis-client-cert-field-05: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert-field/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you to Loganaden Velvindron for the SECDIR review.
>
> ** Section 2.3
>    It MAY have a list of values
>    or occur multiple times in a request.  For header compression
>    purposes, it might be advantageous to split lists into multiple
>    instances.
>
> If the list is split into multiple headers, the order of the headers
> matters to
> say consistent with Section 4.4.2 of [TLS] (and the guidance in this
> section in
> cases where the chain is represented in a single header).  Should this be
> explicitly stated?
>

I believe that it's sufficiently clear from the other context of the
document and that header being defined as a list HTTP Structured Field
Value.


>
> ** Section 2.4.
>
>    Requests made over a TLS connection where the use of client
>    certificate authentication was not negotiated MUST be sanitized by
>    removing any and all occurrences of the Client-Cert and Client-Cert-
>    Chain header fields
>
> Is this guidance for the TTRP on requests it got from the client? I’m
> trying to
> assess how this might work if there is a chain of proxies between the
> client
> and the origin.
>

Yes, it's only for the TTRP on requests it got from the client. I'll update
that sentence.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

Received on Thursday, 16 March 2023 12:08:39 UTC