Re: Client-Cert Header draft

Brian Campbell <> Fri, 24 April 2020 22:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E3F653A0DF7 for <>; Fri, 24 Apr 2020 15:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wbaVhXa4M5tu for <>; Fri, 24 Apr 2020 15:17:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 907D73A0DF6 for <>; Fri, 24 Apr 2020 15:17:17 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jS6ag-0000pt-GC for; Fri, 24 Apr 2020 22:14:34 +0000
Resent-Date: Fri, 24 Apr 2020 22:14:34 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jS6af-0000p8-BO for; Fri, 24 Apr 2020 22:14:33 +0000
Received: from ([2a00:1450:4864:20::130]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jS6ad-0002nl-OH for; Fri, 24 Apr 2020 22:14:33 +0000
Received: by with SMTP id m2so8987931lfo.6 for <>; Fri, 24 Apr 2020 15:14:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eymKww4ucAe3OOn834cqZd8GTP0wjoyF1Sbhnodnh18=; b=KBcS5Q3UZ/xd8PgWgvvVUFT/mOFH24vC0Ra2YSnfNKRfmlEse1dsjwh1AFWyihr3Eq AVjnxHAuacoP0H7R8gKXnBgSYhsCUxEIsCPzs9tLTcTP+NSxy++OEchNtdxP2WU+2Vc6 gZMc5BTfRaltSQGhecoJbe1nVEMY0pQngx/fjEEv6ddb35rDuVW+PnVwVt3U5TO6MroC CAApBsdKPKefyhbTBOUW71VLeY+HsBzwRt2TQoXnEDzod6MWhfQWo2gkEGigG6UlUKGU uov9GlICNkpiq9m1g0cJXbJ2E0H+7BC671Sub8vUrJx6/kzBOl+aJEe1NntCPq9ZgKHb Z6dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eymKww4ucAe3OOn834cqZd8GTP0wjoyF1Sbhnodnh18=; b=d0D2RYei+ZzYpTl79DdtyDfhObca1YYBRVfKB92BkJ7crJnI3SIEuibW5r2V4UlwqH 4N78VtCNRWQZL4bvbpyDI2WLQ3Y7MHzvrcvZnsTiLVJdJQgBmw90Ynl2aV6e+OAHi/Re 7uE0F572jeOdWaOi8fq9s69GcPNj6JG1OwETnKiao7DpWThgySRGqJ1Ibuxf0ue/X6ak 2KVLnk0bGrAnDsmN9PgfRss+bDcFR1EK1bXxV992zs0QnZih2w2H6QrKE6dDffsJ8vj0 guBOhjWxoM4AmtWIarp2qfiHpywkLqVopKxyyETbHQg+ZWDG2sCHVatz20E9B2vCy0KI r2mQ==
X-Gm-Message-State: AGi0PuZWOWjS0o5gNmgq1JYNApWozODifa3L2buN1ubEDt69+OB7WTr1 ClVgH0opGR30nDDBIQt0TPrFegdd0Yx//qovvOktZaPehJ0DdTbtIb7QNci9r17cMF+qb0sxGVe PC6ctLcxFANP6BtQiZQUc2a0Scw==
X-Google-Smtp-Source: APiQypIyfzJZYTJh1z+69d0nElSH9Zf3RoyAoo9jI0G2BguQKcxLaNTwb2D9lvw9ysnF3jneOtNBqIB8eb+s3pn9sTk=
X-Received: by 2002:ac2:515d:: with SMTP id q29mr7615367lfd.210.1587766459911; Fri, 24 Apr 2020 15:14:19 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Fri, 24 Apr 2020 16:13:53 -0600
Message-ID: <>
To: James <>
Cc: Graham Leggett <>, HTTP Working Group <>
Content-Type: multipart/alternative; boundary="000000000000d46f4005a410af85"
Received-SPF: pass client-ip=2a00:1450:4864:20::130;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jS6ad-0002nl-OH f0e4b3eadf54af05360ced356ea491db
Subject: Re: Client-Cert Header draft
Archived-At: <>
X-Mailing-List: <> archive/latest/37550
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

The draft is trying to be agnostic to things like TLS being used from TRRP
to Origin or not. But certainly doesn't rule it out. The intro has
"...HTTPS is also usually employed between the proxy and the origin

On Wed, Apr 22, 2020 at 6:56 AM James <> wrote:

> On 21/04/2020 23:17, Graham Leggett wrote:
> > Having read the draft, one thing I would suggest is that the ability
> > exists for the contents of the Client-Cert header to be signed, so that
> > anyone who cares can verify that the header came from where it said it
> > came from ... (I wouldn’t make this a MUST requirement, but maybe  >
> RECOMMENDED perhaps).
> +1 for it not being a MUST as I think that signing the header should
> only be RECOMMENDED or SHOULD be present when the TRRP to Origin
> connection is NOT using TLS itself. Perhaps this could be offered as a
> separate header itself. The draft appears to focus around no TLS being
> used from TRRP to Origin, I have uses cases where it exists - such as a
> publicly trusted CA used on the TRRP's server certificate, but an
> internal CA used to the Origin.
> - J

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._