Re: Client Certificates - re-opening discussion

Jason Greene <> Mon, 21 September 2015 17:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4D37A1ACDB9 for <>; Mon, 21 Sep 2015 10:54:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TwpfueKqCR2S for <>; Mon, 21 Sep 2015 10:54:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 84D7F1A916D for <>; Mon, 21 Sep 2015 10:54:47 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1Ze5G0-0006Kw-UF for; Mon, 21 Sep 2015 17:52:04 +0000
Resent-Date: Mon, 21 Sep 2015 17:52:04 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1Ze5Fv-0006KA-Ps for; Mon, 21 Sep 2015 17:51:59 +0000
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <>) id 1Ze5Ft-0004tQ-Qb for; Mon, 21 Sep 2015 17:51:58 +0000
Received: from ( []) by (Postfix) with ESMTPS id A95862589E; Mon, 21 Sep 2015 17:51:33 +0000 (UTC)
Received: from [] ( []) by (8.14.4/8.14.4) with ESMTP id t8LHpUrM031298 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Sep 2015 13:51:32 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_8B109476-26EF-4E7C-AC07-C30B4F377481"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Jason Greene <>
In-Reply-To: <>
Date: Mon, 21 Sep 2015 12:51:30 -0500
Cc: Mike Bishop <>, Mark Nottingham <>, Henry Story <>, HTTP Working Group <>
Message-Id: <>
References: <> <> <> <> <> <>
To: Mike Belshe <>
X-Scanned-By: MIMEDefang 2.68 on
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.027, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=0.001, SPF_HELO_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1Ze5Ft-0004tQ-Qb 45838dbc9653081794e7dbceaac38558
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <>
X-Mailing-List: <> archive/latest/30252
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> On Sep 21, 2015, at 10:22 AM, Mike Belshe <> wrote:
> On Fri, Sep 18, 2015 at 11:31 AM, Mike Bishop < <>> wrote:
> We have historically had cases where customers were either legally mandated to use client certificate authentication specifically, or more generally had an IT requirement to use two-factor authentication to access enterprise resources.  I’ll research the details of some of these, and see whether I can share some details to frame this conversation in Yokohama.  Internally, we use it regularly – the certificate lives on a smartcard, the TPM, or was simply issued to the machine when it enrolled for device management.
> For us, at least, the “pain” is that we can’t support a legal requirement without falling back to HTTP/1.1 and generating even more round-trips.  Our HTTP/2 investments don’t apply as soon as we’re talking to the auth server.
> Thanks, this sounds about right.  The usability of browser-based client-auth was so awful, that unless "mandated" by some law, no real user or website would use it :-)  If anyone on this thread hasn't tried client auth, you should, and then imagine turning that on for any real website.

Hmm I always thought it was fairly straight-forward. Although the thing is, the major use-case for client certs is provisioned authorized equipment. So the end-user of the browser typically doesn’t interact with it at all.

> I hope the legal requirement doesn't require that client auth be done in the HTTP protocol layer, just that the certificate based auth be done.  My own opinion is that HTTP/1.1/TLS's client auth was a mistake, and my evidence is the usability of both client-auth and basic-auth authentication schemes at the protocol layer.  Neither is used in significant amounts.  The latter was definitely moved by millions of websites into the application layer, and I see no reason why browsers shouldn't offer support for client-auth like primitives which will help customers move certificate-based client auth up a level too.

How does this help the usability of the browser? It seems to me that however you do it, the overall management of client certificates in the browser is roughly the same. You have to have a mapping of site to cert stored somewhere.