Re: Secondary Certificates

Hi everyone,

Following up on this: I've made some revisions to the draft to clarify usage and related mechanisms, see the updated version: https://datatracker.ietf.org/doc/draft-egorbaty-httpbis-secondary-server-certs/01/

Mainly, these revisions address:
- Removing any remaining references to client certificates to focus on server authentication
- Clarify the usage of the spontaneous server certificates flow from TLS Exported authenticators
- More strongly suggest the usage of ORIGIN in the event that a DNS check is not used

Other changes (Like using multiple frames to send authenticators over HTTP/2), should come later; but those are less interesting as far as the vision of the draft is concerned.

Regarding use cases, it seems that discussion so far has revolved around two main uses for this:
- CDNs being able to make additional origins that they support available to particular requesters at a much more controlled, granular level than massive "cruise-liner" certificates at TLS establishment
- Forward-proxies like MASQUE being able to switch to a reverse-proxy mode for particular origins, either optimistically or in response to particular requests

Feedback on all of this would be appreciated!

Thanks,
Eric Gorbaty
Apple


> On Oct 11, 2023, at 5:34 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> Hello everyone,
> 
> At IETF 117, we had a discussion about reviving the Secondary Certificates work:
>  https://httpwg.org/wg-materials/ietf117/minutes.html#secondary-certificate-authentication-of-http-servers---eric-gorbaty
> 
> The Chairs are considering issuing a Call for Adoption for this work, because there seems to be significant interest in this area still. However, more discussion about the use cases would help us make a decision about re-starting this work. 
> 
> If necessary, we can reserve some further time in Prague, but mailing list discussion is preferred.
> 
> Cheers,
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 

Received on Thursday, 12 October 2023 20:05:22 UTC