- From: Brian Campbell <bcampbell@pingidentity.com>
- Date: Sat, 1 Nov 2025 12:13:37 -0600
- To: Christopher Patton <cpatton@cloudflare.com>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CA+k3eCRdiyzENDdvMmz_nguGP2feOQSNC0U5hgncJ3-+SfrBkw@mail.gmail.com>
I am wondering what happened to support for the approach of using TLS client certificate authentication with a simple extension in the client hello to indicate willingness/ability/interest in getting a CertificateRequest message? On Thu, Oct 30, 2025 at 9:34 AM Christopher Patton <cpatton@cloudflare.com> wrote: > HI all, > > The newly minted Web Bot Auth WG is considering a use case for RFC 9421. > However, Jonathan Hoyland and I are concerned that this authentication > mechanism may be insufficient for the security of the use case. > > With that in mind, we'd appreciate your feedback on the following (short!) > draft that defines an HTTP signature component for binding to the TLS > channel: > > https://datatracker.ietf.org/doc/draft-hoypat-httpbis-message-signatures-ekm/ > > We're interested to know if the WG had considered TLS binding while > working on RFC 9421 (I wasn't around for this process) and what the best > way is to implement it. > > Note: We're not seeking adoption by HTTPBIS at this time. We're planning > to present the draft at Web Bot Auth next week. In preparing for that > presentation, we'd like to know if you all think this draft is useful and > going in the right direction. > > Thanks in advance! > Chris P. > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Saturday, 1 November 2025 18:14:09 UTC