- From: James Bromwell <notifications@github.com>
- Date: Fri, 12 Jun 2026 07:32:14 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 12 June 2026 14:32:18 UTC
thw0rted left a comment (whatwg/fetch#869) > mTLS was made for this. With respect, what basis do you have for this claim? Almost every case of mTLS I've encountered in the wild uses it only on connections to dedicated login services which then establish a traditional (cookie based) user session and send the user back to a conventional (mTLS-free) application. Basically, where you would be asked for a different credential (user/pass, FIDO, etc) you are instead given the option of visiting a dedicated client-cert auth endpoint, prove your identity, and get a session cookie like the rest of us. This is further reinforced by the prevalence of private-cert security that relies on a secondary local authentication (PIN, biometrics, OS integration with TPM) -- you don't want to leave your client cert unlocked for the whole time you're using the application. The idea of mTLS providing ongoing, pervasive "transport layer authentication" is not something I've seen before and I'd be interested to hear of any examples you could cite. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/869#issuecomment-4692219267 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/869/4692219267@github.com>
Received on Friday, 12 June 2026 14:32:18 UTC