HTTP2.0 and Certificate authentication

Yesterday in a discussion on the http WG it occurred to me how one could get support from people with X509 background, and make the KeyURI have a dereferenceable meaning.

https://lists.w3.org/Archives/Public/ietf-http-wg/2015JulSep/0388.html

[[
The idea would be for example that a 401 with a 

 WWW-Authenticate: Certificate, upload="/certs" 

The client could then POST the (x509?) certificate to that location,
and receive a Location: header containing a URL that it could re-use
on future connections, and which it could use for authentication 
with something like draft-cavage-http-signatures [1]

The nice thing, is that this would allow one to also use URLs
of certificates  on remote servers, to avoid the whole process of 
certificate uploads. ( but the problem of people not having a
server would be solved by the POST described above )

Also this provides an easy way to disable certificates by removing
them from that URL.

You could then further do content negotiation on that URL and allow
many different formats to be returned, enabling a 
move to JSON certificate formats a la JOSE or based on
JSON-LD.
]]

Note that if the server did not want to make the URL dereferenceable it could
then provide a URN.

It turns out they actually want to discuss TLS authentication right now,
so its not the right thread to develop this idea. But it would be of interest to 
this group.


Henry

Received on Wednesday, 23 September 2015 13:21:50 UTC