- From: Yaroslav Rosomakho <yrosomakho@zscaler.com>
- Date: Mon, 7 Jul 2025 17:45:55 +0100
- To: ietf-http-wg@w3.org
- Cc: jonathan.hoyland@gmail.com
- Message-ID: <CAMtubr2JAF9KFse6RcFgu=ezeThV3ggDf3RcqHwMgzz_42nVkQ@mail.gmail.com>
Dear HTTP Working Group, Jonathan and I just published the initial version of a Secondary Certificate Authentication for HTTP Clients individual draft. This document defines a mechanism that enables HTTP/2 and HTTP/3 clients to provide additional certificate-based credentials after the TLS handshake has completed, using Exported Authenticators (RFC9261). It builds on top of the framework established in Secondary Certificate Authentication for HTTP Servers and is designed to support scenarios where clients may need to authenticate dynamically or provide multiple identities (e.g., separate user and device certificates). Notable differences between Client and Server secondary certificate authentication are: - As unprompted client authenticators are not allowed in RFC9261, server sends authenticator requests in AUTHENTICATOR_REQUESTS frame - Client indicates limit of outstanding authenticator requests in its SETTINGS that is also used to negotiate support for this capability - Server may replenish the pool of authenticator requests after client provides one or more CERTIFICATES We welcome your feedback and look forward to discussion on this mechanism. Best regards, Yaroslav and Jonathan ---------- Forwarded message --------- A new version of Internet-Draft draft-rosomakho-httpbis-secondary-client-certs-00.txt has been successfully submitted by Yaroslav Rosomakho and posted to the IETF repository. Name: draft-rosomakho-httpbis-secondary-client-certs Revision: 00 Title: Secondary Certificate Authentication of HTTP Clients Date: 2025-07-07 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/archive/id/draft-rosomakho-httpbis-secondary-client-certs-00.txt Status: https://datatracker.ietf.org/doc/draft-rosomakho-httpbis-secondary-client-certs/ HTML: https://www.ietf.org/archive/id/draft-rosomakho-httpbis-secondary-client-certs-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-rosomakho-httpbis-secondary-client-certs Abstract: This document defines a mechanism for HTTP/2 and HTTP/3 clients to provide additional certificate-based credentials after the TLS handshake has completed, using TLS Exported Authenticators. Unlike traditional client authentication during the TLS handshake, this mechanism allows clients to present multiple certificates over the lifetime of a session. The IETF Secretariat -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
Received on Monday, 7 July 2025 16:57:42 UTC