Re: Binding HTTP signatures (RFC 9421) to TLS from Brian Campbell on 2025-11-03 (ietf-http-wg@w3.org from October to December 2025)

From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 3 Nov 2025 17:44:43 -0500
To: Christopher Patton <cpatton@cloudflare.com>
Cc: ietf-http-wg@w3.org, web-bot-auth@ietf.org
Message-ID: <CA+k3eCTu12h+QjbCDmTT2aSLNQ=jubdoYDWykhNhgaOOVDT=OQ@mail.gmail.com>

Thanks Chris and yeah, you are right, most of that is probably not super
relevant to HTTPBIS. Apologies. I kinda lost track of which list I was on
and the mention of TLS things and Web Bot Auth together reminded me that
I'd been wanting to understand better why the request mTLS client hint
thing seemed to have fallen out of favor with webbotauth (I've added
web-bot-auth@ietf.org to the cc). It seemed like a good fit in some of the
early discussions in what would become webbotauth. Maybe the initial
webbotauth meeting tomorrow will help shed some light on how things seem to
have unfolded there so far.

On Sat, Nov 1, 2025 at 2:50 PM Christopher Patton <cpatton@cloudflare.com>
wrote:

> Hi Brian,
>
> I am wondering what happened to support for the approach of using TLS
>> client certificate authentication with a simple extension in the client
>> hello to indicate willingness/ability/interest in getting
>> a CertificateRequest message?
>>
>
> I believe you're referring to this draft:
> https://datatracker.ietf.org/doc/draft-jhoyla-req-mtls-flag/
>
> There's been a lot of discussion around this draft, most of which is
> probably not super relevant to HTTPBIS. If you'd like to follow up, I've
> tried to summarize the most salient feedback here:
> https://github.com/jhoyla/draft-jhoyla-req-mtls-flag/issues/20
> https://github.com/jhoyla/draft-jhoyla-req-mtls-flag/issues/21
>
> You may also want to check out this alternative:
> https://datatracker.ietf.org/doc/draft-rosomakho-tls-wimse-cert-hint/
>
> Instead of merely indicating "support" for CertificateRequest, the client
> indicates which PKI it's part of, i.e., which roots the server should use
> to authenticate the client. In my view, this is the best way forward for
> TLS client authentication for Web Bot Auth.
>
> Best,
> Chris P.
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

Received on Monday, 3 November 2025 22:45:13 UTC