Re: Client-Cert Header draft

Justin Richer <> Fri, 17 April 2020 21:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 030133A017E for <>; Fri, 17 Apr 2020 14:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QU0MXr_V-0CE for <>; Fri, 17 Apr 2020 14:02:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 261F33A0143 for <>; Fri, 17 Apr 2020 14:02:17 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jPY4d-0002SL-85 for; Fri, 17 Apr 2020 20:58:55 +0000
Resent-Date: Fri, 17 Apr 2020 20:58:55 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jPY4c-0002Ri-PN for; Fri, 17 Apr 2020 20:58:54 +0000
Received: from ([] by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jPY4a-000773-85 for; Fri, 17 Apr 2020 20:58:54 +0000
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 03HKweUO012846 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 17 Apr 2020 16:58:40 -0400
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2B818CF5-4293-454F-A77D-848C32B7EBF8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 17 Apr 2020 16:58:40 -0400
In-Reply-To: <>
Cc: HTTP Working Group <>
To: Brian Campbell <>
References: <>
X-Mailer: Apple Mail (2.3608.
X-W3C-Hub-Spam-Status: No, score=-10.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1jPY4a-000773-85 650b84057347edf8416e9b3dbc228105
Subject: Re: Client-Cert Header draft
Archived-At: <>
X-Mailing-List: <> archive/latest/37515
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

+1 for seeing this adopted and progressing within this group. This is a simple thing that different developers have had to solve for decades and each has solved it in trivially different ways. I would love to see one commonly-accepted way to do this.

TLS terminators aren’t going away any time soon, so I think we should make them at least a bit more manageable. 

 — Justin

> On Apr 15, 2020, at 5:01 PM, Brian Campbell <> wrote:
> Hello HTTP Working Group,
> I've somewhat inadvertently found myself working on this draft <>, which aspires to define a "Client-Cert" HTTP header field that allows a TLS terminating reverse proxy to convey information about the client certificate of a mutually-authenticated TLS connection to an origin server in a common and predictable manner.
> I presented the concept <> at the recent virtual IETF 107 secdispatch meeting <> and the outcome from that was basically that there seems to be some interest in pursuing the work and the suggestion that the conversation be taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the work progresses). And that's what brings me here. I also hope to get a little bit of time at one of the upcoming virtual interims to present/discuss the draft.
> Thanks,
> Brian 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.