+1 to David. If it’s a redirect, 307 is more appropriate. It’s up to the AS to
decide if the client should do MTLS or not, if there’s an option.
— Justin
On Feb 4, 2019, at 12:17 PM, David Waite
mailto:da...@alkaline-solutions.com>> wrote:
My understanding is that a permanent redirect would be
I’m less and less convinced that a redirect is the best way to do this.
I was reading the WHATWG Fetch spec yesterday, in particular the entries about
CORS, and realised that for cross-origin requests TLS client certificates are
treated as credentials just like cookies:
https://fetch.spec.whatw
I for one believe the points are somewhat easily addressable, and fear that by
just shoving mtls out the door and dealing with the browser UX caveats later
we’ll end up with a state where if an AS wants to have mtls enabled without UX
affected proprietary solutions will pop up, thus interoperabi
Filip did some testing along these lines awhile back. Although I think he
was more focused on the other side of things by instructing the fetch/XHR
request to omit sending credentials. The behavior he saw was that he wasn't
able to suppress the certificate selection prompting as expected or hoped.
It may well be due to my own intellectual shortcomings but these
issues/questions/confusion-points are not resonating for me as being
problematic.
The more general stance of "this isn't needed or worth it in this document"
(I think that's far?) is being heard though.
On Tue, Feb 5, 2019 at 1:42
