Client-Cert Header draft

Brian Campbell <> Thu, 16 April 2020 08:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 958BF3A1156 for <>; Thu, 16 Apr 2020 01:04:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.451
X-Spam-Status: No, score=-2.451 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3qKy6bl-CkKP for <>; Thu, 16 Apr 2020 01:04:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 19CC83A1154 for <>; Thu, 16 Apr 2020 01:04:45 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jOzSM-0005Au-Qq for; Thu, 16 Apr 2020 08:01:07 +0000
Resent-Date: Thu, 16 Apr 2020 08:01:06 +0000
Resent-Message-Id: <>
Received: from www-data by with local (Exim 4.92) (envelope-from <>) id 1jOzSL-00058n-8K for; Thu, 16 Apr 2020 08:01:05 +0000
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jOpAR-0006Qa-8N for; Wed, 15 Apr 2020 21:01:55 +0000
Received: from ([2a00:1450:4864:20::234]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jOpAO-0006z3-PY for; Wed, 15 Apr 2020 21:01:55 +0000
Received: by with SMTP id z26so5295083ljz.11 for <>; Wed, 15 Apr 2020 14:01:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:from:date:message-id:subject:to; bh=A5e03PCEoimLxuan9EpT1TRq1KNcWxU2beYX1jiP+6w=; b=KsQ1/kZ2qstgHalPEVM/4+9zLCZ+gl9yHOoYQmQZI/oX6f73wKER++KGt30d3lUkD7 16zi2F6jzXtJ/GKYJ/gK2KCPYzYtS6ibg5t53ZxMFgzwtj+Y2iXn3b83bf37Mq+8VkI+ O6th3ZnqSsM0O1sjg9nrf8wnn2804l24OULej9hYXejsq9wynBIEd2xGzFqew5OxTZgC RuH7y59RfSpoA/HZIfQGaVj0oJVDViViOiQbXrAr9NkNXFUmOVSFGfP3jLrg7RieEN8z a1U6BJGWVMubgjqn3Efs23aaIMPa2hAVDodq4awDLols9tunElau+eqmKUOdG4mdIZjw pNBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=A5e03PCEoimLxuan9EpT1TRq1KNcWxU2beYX1jiP+6w=; b=akZU8eDFhRR1X33kj9rudTqZd4dcXKr0cJrA/O+fdw95yXV4p0MtL2LaHiye7c41AA B8zZ1CXjxpzsxh0WNDrZZS43RpICnxTtIjV0mpOnGY5at2/OdAMfTjtIPRLsurAKsK1V Le/P0AMdHyqAwZ0DhisXvvqu9fMQuvstieazfKpKeG7FL/dXbg1/j49VaIW5vqRbIAhp 5CC8w2nPulVfD+ZAbYzl4vAVv8m8Or9ilFsdrHPip1rBHNnNoMdXzTifFWQxIV/5yLSH xBe9+X6rRhgNL9O5qPq7cAlgGNcuk70aoPMNUYHm5KIOa2bxWd8lJPv2h+1K+hjMUxnD Npgw==
X-Gm-Message-State: AGi0PuZhCk2o6bYWLgzPuuhH8MQuxZiwd49+J1H659PcCbseNTB9X8k8 ofstqxdWlAHClQ6CXGjiukx3RDbrUYy8e/SGz65SJzZb6QsY7+ytsKBvw0DM3Ge8yj1ydZZSYf1 KTOGslUX4oKw0jYFwvXpx8rAnCw==
X-Google-Smtp-Source: APiQypI4ncNby2JFKMgW7aXJOdGgCe2hLlc6Y6E+kwk+KdifxL7BRl8c78X2QxghsEpkQIlMY5f3SYUfiuCYQUngXBM=
X-Received: by 2002:a2e:868b:: with SMTP id l11mr4460857lji.247.1586984500087; Wed, 15 Apr 2020 14:01:40 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <>
Date: Wed, 15 Apr 2020 15:01:13 -0600
Message-ID: <>
To: HTTP Working Group <>
Content-Type: multipart/alternative; boundary="00000000000064875a05a35a9fa2"
Received-SPF: pass client-ip=2a00:1450:4864:20::234;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jOpAO-0006z3-PY 715b3b3c7cbb2d302d10354674874e6e
X-caa-id: 589b745d1d
Subject: Client-Cert Header draft
Archived-At: <>
X-Mailing-List: <> archive/latest/37512
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hello HTTP Working Group,

I've somewhat inadvertently found myself working on this draft,
which aspires to define a "Client-Cert" HTTP header field that allows a TLS
terminating reverse proxy to convey information about the client
certificate of a mutually-authenticated TLS connection to an origin server
in a common and predictable manner.

I presented the concept
at the recent virtual IETF 107 secdispatch meeting
and the outcome from that was basically that there seems to be some
interest in pursuing the work and the suggestion that the conversation be
taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the
work progresses). And that's what brings me here. I also hope to get a
little bit of time at one of the upcoming virtual interims to
present/discuss the draft.


_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._