- From: Yoav Nir <ynir.ietf@gmail.com>
- Date: Tue, 9 Jun 2015 10:58:00 +0300
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi Long time ago there was a long discussion about using client certificates on the web with HTTP/2. Feel free to skip the next paragraph if you remember the issue. Most of the web does not use client certificates. Websites that do don’t like users to get a certificate picker when they first land on the page. So what they do is protect the site with regular, server-authenticated TLS and have a landing page. On the landing page there’s going to be something clickable that says “login with certificates”. When the user clicks that, it sends a request for some resource (maybe “/loginWithCerts.html”). When the server gets that request, it triggers the TLS layer to re-negotiate, this time with the certificate request message that causes the certificate picker to pop up. This is the way it’s usually done in HTTP/1, but for HTTP/2, section 9.2.1 prohibits this use or renegotiation and hints at future specification that might provide this. So a year ago Martin Thomson wrote a pair of draft for solving this: one an HTTP authentication scheme that just says, “go away and come back with a certificate”, while the other is a TLS extension that tells the server that the client would like to authenticate: https://tools.ietf.org/html/draft-thomson-httpbis-catch-00 https://tools.ietf.org/html/draft-thomson-tls-care-00 Neither was adopted, here or at TLS, so currently HTTP/2 is not usable with mutual authentication. Why has this (useful IMO) extension withered on the vine rather than progressed? If anyone needs help in pushing this along, I’ll be glad to help. Yoav
Received on Tuesday, 9 June 2015 07:58:36 UTC