- From: Christopher Patton <cpatton@cloudflare.com>
- Date: Sat, 1 Nov 2025 11:50:16 -0700
- To: Brian Campbell <bcampbell@pingidentity.com>
- Cc: ietf-http-wg@w3.org
Received on Saturday, 1 November 2025 18:50:33 UTC
Hi Brian, I am wondering what happened to support for the approach of using TLS > client certificate authentication with a simple extension in the client > hello to indicate willingness/ability/interest in getting > a CertificateRequest message? > I believe you're referring to this draft: https://datatracker.ietf.org/doc/draft-jhoyla-req-mtls-flag/ There's been a lot of discussion around this draft, most of which is probably not super relevant to HTTPBIS. If you'd like to follow up, I've tried to summarize the most salient feedback here: https://github.com/jhoyla/draft-jhoyla-req-mtls-flag/issues/20 https://github.com/jhoyla/draft-jhoyla-req-mtls-flag/issues/21 You may also want to check out this alternative: https://datatracker.ietf.org/doc/draft-rosomakho-tls-wimse-cert-hint/ Instead of merely indicating "support" for CertificateRequest, the client indicates which PKI it's part of, i.e., which roots the server should use to authenticate the client. In my view, this is the best way forward for TLS client authentication for Web Bot Auth. Best, Chris P.
Received on Saturday, 1 November 2025 18:50:33 UTC