> On Dec 28, 2018, at 3:55 PM, Brian Campbell
> wrote:
>
> All of that is meant as an explanation of sorts to say that I think that
> things are actually okay enough as is and that I'd like to retract the
> proposal I'd previously made about the MTLS draft introducing a new AS
> metadata
> On Dec 28, 2018, at 3:55 PM, Brian Campbell
> wrote:
>
> I spent some time this holiday season futzing around with a few different
> browsers to see what kind of UI, if any, they present to the user when seeing
> different variations of the server requesting a client certificate during the
On Mon, Jan 07, 2019 at 10:21:51AM -0700, Brian Campbell wrote:
> I don't honestly know for sure but I suspect that employees of big
> corporations will likely have keys/certs on their devices/machines that are
> issued by some internal CA and provisioned to them automatically (and in
> many cases
>
> In this example, the custom certificates one has to install on their
> system are additional root CAs, right?
Correct,* in this example.*
> From my observations that has no bearing on the prompting behavior of the
> browsers (and shouldn't). What dictates the behavior is whether the browser
Yes *but* not when the client is a javascript application running in the
user's browser. And the direction this WG is taking is to start/continue to
suggest that such clients use the code flow (which hits the token endpoint)
rather than the implicit (which only hits the authorization endpoint).
On
inline below...
On Mon, Jan 7, 2019 at 11:15 AM Filip Skokan wrote:
> I think we shouldn't make a sweeping assumption that may potentially harm
> UX for end-users. Even if for a small percentage. Tho i can say for sure
> this percentage may also be rather significant depending on the types of
>
