Re: Client-Cert Header draft

Graham Leggett <> Fri, 24 April 2020 23:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 665703A0F38 for <>; Fri, 24 Apr 2020 16:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.57
X-Spam-Status: No, score=-3.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BNmdZUltgQbX for <>; Fri, 24 Apr 2020 16:11:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C789D3A0F37 for <>; Fri, 24 Apr 2020 16:11:21 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jS7Px-0007HA-Uc for; Fri, 24 Apr 2020 23:07:34 +0000
Resent-Date: Fri, 24 Apr 2020 23:07:33 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jS7Pw-0007GK-KG for; Fri, 24 Apr 2020 23:07:32 +0000
Received: from ([2001:470:18b1:0:5054:ff:fe6e:d541]) by with esmtp (Exim 4.92) (envelope-from <>) id 1jS7Pu-0004lg-KM for; Fri, 24 Apr 2020 23:07:32 +0000
Received: from [IPv6:2001:470:18b1:1:dcd6:38b3:c95f:5d5b] (unknown [IPv6:2001:470:18b1:1:dcd6:38b3:c95f:5d5b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: by (Postfix) with ESMTPSA id 2D75B1F14F9; Sat, 25 Apr 2020 00:07:19 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 2D75B1F14F9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1587769639; bh=KvXAwH1NZCwPu2bnVtHvCvFfEWkwlZ6D5CX9PgL/Ulc=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=RXroLM0gEv7C/zCCoACBTTzjnC4oxzsCDTLLW3C7fs1kpRpOGEofUdcrCF6wAzkis b/AR0XqGAasrVqHWL0mDt9DHjAYazjJuIAJbWAw0SBKYh1QbjAxz220RTF1mdTy52D zE7WlUTq5Iu8TWDgciEfQttJLJypdkye22reuQ0k=
From: Graham Leggett <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_08B075BA-C930-4DEA-BCA3-5EA40B1F5B14"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 25 Apr 2020 01:07:09 +0200
In-Reply-To: <>
Cc: James <>, HTTP Working Group <>
To: Brian Campbell <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Received-SPF: pass client-ip=2001:470:18b1:0:5054:ff:fe6e:d541;;
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jS7Pu-0004lg-KM 6234ca913ac248e9dd8ce4193c3c2498
Subject: Re: Client-Cert Header draft
Archived-At: <>
X-Mailing-List: <> archive/latest/37552
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 25 Apr 2020, at 00:13, Brian Campbell <> wrote:

> The draft is trying to be agnostic to things like TLS being used from TRRP to Origin or not. But certainly doesn't rule it out. The intro has "...HTTPS is also usually employed between the proxy and the origin server…".

In essence, as a user of this I care only about two things:

- I care what was the cert; and
- I care who asserts this cert is legit.

The first bit is easy - the cert is in the header, I would like the second bit to be as easy as “verify a signature on the header”.

All the stuff about how it’s used is largely academic, as long as I get the above two things, I as a user am happy. What cert is used to sign? I don't want the RFC to care, that’s an implementation detail, let me choose a signature that works for me in my use case.

Key for me is the second line above - if I don’t have a cryptographically secure way to verify where the cert came from, the header is useless to me.