- From: Martin Thomson <mt@lowentropy.net>
- Date: Wed, 17 Jan 2024 11:14:43 +1100
- To: ietf-http-wg@w3.org
On Wed, Jan 17, 2024, at 10:19, Kazu Yamamoto wrote: > What is the current recommended way for client-authentication after a > TLS 1.3 connection is established without client authentication? For HTTP, I generally recommend using HTTP authentication (https://datatracker.ietf.org/doc/html/rfc9110#section-11.6). The simpler schemes (Basic, Digest, Bearer) have some pretty significant drawbacks, but they are widely used. https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted-auth.html has some promising characteristics, including a binding to the TLS connection. In choosing here, a lot depends on whether you intend to build a single service or you are looking at designing an HTTP-based protocol that others might want to deploy.
Received on Wednesday, 17 January 2024 00:15:12 UTC