Re: Client Certificates - re-opening discussion

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 21 September 2015 16:29 UTC

Resent-Date: Mon, 21 Sep 2015 16:26:32 +0000
Resent-Message-Id: <E1Ze3vE-0004MP-5R@frink.w3.org>
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56002F8E.2020109@cs.tcd.ie>
Date: Mon, 21 Sep 2015 17:25:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=134.226.56.6; envelope-from=stephen.farrell@cs.tcd.ie; helo=mercury.scss.tcd.ie
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/56002F8E.2020109@cs.tcd.ie>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

On 17/09/15 23:10, Mark Nottingham wrote:
> Hi,
> 
> We've talked about client certificates in HTTP/2 (and elsewhere) for
> a while, but the discussion has stalled.
> 
> I've heard from numerous places that this is causing Pain. So, I'd
> like to devote a chunk of our time in Yokohama to discussing this.
> 
> If you have a proposal or thoughts that might become a proposal in
> this area, please brush it off and be prepared. Of course, we can
> discuss on-list in the meantime.

As an occasional developer, I'm not fussed about how HTTPS with client
certificate based authentication works, but I have made use of this
in various server-server use-cases. It's really handy to be able to
e.g. setup a new virtual host and to be able use or test that via
curl. I suspect I'm not alone in having done that and don't recall
seeing it mentioned in this thread. (Apologies if I'm repeating stuff.)

While I could probably do all I need to without HTTP, it's easier
and I get more code/tool re-use to use client certificates. (Note,
for all cases I care about myself I can roll a new CA and certify
all the parties so I have no dependency on a 3rd party PKI like the
WebPKI.)

And while continuing to use HTTP/1.1 would be just fine for me, I'd
prefer to use standard configurations for tools, which means at some
point wanting this feature for HTTP/2 as well.

Cheers,
S.

PS: In case it's not clear, the above is wearing no IETF-hat:-)

> 
> Cheers,
> 
> -- Mark Nottingham   https://www.mnot.net/
> 
> 
> 
> 
> 
>

Client Certificates - re-opening discussion Mark Nottingham
Re: Client Certificates - re-opening discussion Martin Thomson
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Mark Nottingham
Re: Client Certificates - re-opening discussion Ilari Liusvaara
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Mike Belshe
Re: Client Certificates - re-opening discussion Mark Nottingham
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Ilari Liusvaara
Re: Client Certificates - re-opening discussion Eric Rescorla
Re: Client Certificates - re-opening discussion Ilari Liusvaara
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion Eric Rescorla
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Yoav Nir
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Yoav Nir
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Kyle Rose
Re: Client Certificates - re-opening discussion Yoav Nir
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion Kyle Rose
Re: Client Certificates - re-opening discussion Mike Belshe
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Stephen Farrell
Re: Client Certificates - re-opening discussion Kyle Rose
Re: Client Certificates - re-opening discussion Jason Greene
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Alex Rousskov
Re: Client Certificates - re-opening discussion Mark Nottingham
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion Martin Thomson
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Yoav Nir
Re: Client Certificates - re-opening discussion Ryan Hamilton