Re: Secondary Certificates from David Schinazi on 2023-10-13 (ietf-http-wg@w3.org from October to December 2023)

From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 12 Oct 2023 17:19:25 -0700
To: Eric Gorbaty <e_gorbaty@apple.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAPDSy+6dCeNMy+4EKL44PAYNFXg-D6GHjKNaLUEx=kxrKnLjbg@mail.gmail.com>

This is definitely an interesting area of work. I think the use cases are
useful and I'll happily volunteer to review drafts and all that.
Consider this a statement of support for spending WG time on this topic.
David

On Thu, Oct 12, 2023 at 1:07 PM Eric Gorbaty <e_gorbaty@apple.com> wrote:

> Hi everyone,
>
> Following up on this: I've made some revisions to the draft to clarify
> usage and related mechanisms, see the updated version:
> https://datatracker.ietf.org/doc/draft-egorbaty-httpbis-secondary-server-certs/01/
>
> Mainly, these revisions address:
> - Removing any remaining references to client certificates to focus on
> server authentication
> - Clarify the usage of the spontaneous server certificates flow from TLS
> Exported authenticators
> - More strongly suggest the usage of ORIGIN in the event that a DNS check
> is not used
>
> Other changes (Like using multiple frames to send authenticators over
> HTTP/2), should come later; but those are less interesting as far as the
> vision of the draft is concerned.
>
> Regarding use cases, it seems that discussion so far has revolved around
> two main uses for this:
> - CDNs being able to make additional origins that they support available
> to particular requesters at a much more controlled, granular level than
> massive "cruise-liner" certificates at TLS establishment
> - Forward-proxies like MASQUE being able to switch to a reverse-proxy mode
> for particular origins, either optimistically or in response to particular
> requests
>
> Feedback on all of this would be appreciated!
>
> Thanks,
> Eric Gorbaty
> Apple
>
>
> > On Oct 11, 2023, at 5:34 PM, Mark Nottingham <mnot@mnot.net> wrote:
> >
> > Hello everyone,
> >
> > At IETF 117, we had a discussion about reviving the Secondary
> Certificates work:
> >
> https://httpwg.org/wg-materials/ietf117/minutes.html#secondary-certificate-authentication-of-http-servers---eric-gorbaty
> >
> > The Chairs are considering issuing a Call for Adoption for this work,
> because there seems to be significant interest in this area still. However,
> more discussion about the use cases would help us make a decision about
> re-starting this work.
> >
> > If necessary, we can reserve some further time in Prague, but mailing
> list discussion is preferred.
> >
> > Cheers,
> >
> > --
> > Mark Nottingham   https://www.mnot.net/
> >
> >
>
>
>

Received on Friday, 13 October 2023 00:19:43 UTC