Hi Ilari,
> What sort of usecase you have in mind for this?
This is to support a fairly common website design where the landing page does
not require client auth, but subsequent request to a protected resource
triggers client authentication within an existing TLS connection.
In TLS<=1.2, this wa
> On Aug 10, 2015, at 8:10 PM, Andrei Popov wrote:
>
> Hi Ilari,
>
>> What sort of usecase you have in mind for this?
> This is to support a fairly common website design where the landing page does
> not require client auth, but subsequent request to a protected resource
> triggers client aut
> Ideally a solution would work with HTTP/1 over TLS 1.3, HTTP/2 over TLS 1.3,
> HTTP/2 over TLS 1.2, and for completeness HTTP/1 over TLS 1.2.
Correct, anything less than this will create deployment problems.
> I’d like to point out that I am very interested in this use case, but I’m not
> sure
On Mon, Aug 10, 2015 at 3:05 PM Andrei Popov
wrote:
> > Ideally a solution would work with HTTP/1 over TLS 1.3, HTTP/2 over TLS
> 1.3, HTTP/2 over TLS 1.2, and for completeness HTTP/1 over TLS 1.2.
> Correct, anything less than this will create deployment problems.
>
But this proposal is only su
> On Aug 10, 2015, at 10:04 PM, Andrei Popov wrote:
>
>> Ideally a solution would work with HTTP/1 over TLS 1.3, HTTP/2 over TLS 1.3,
>> HTTP/2 over TLS 1.2, and for completeness HTTP/1 over TLS 1.2.
> Correct, anything less than this will create deployment problems.
>
>> I’d like to point out
> One solution would be to move the authentication for this use case (and
> perhaps for HTTPS in general) from the transport layer to either HTTP as an
> authentication method or to the application (through some standardized
> exchange of JSON objects).
Doesn't this require an update of the site
The IESG has received a request from the Transport Layer Security WG
(tls) to consider the following document:
- 'A TLS ClientHello padding extension'
as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substanti
On Mon, Aug 10, 2015 at 07:33:53PM +, David Benjamin wrote:
>
> Why not do this using HTTP's own auth framework? Have the client sign
> something which includes a channel binding, placing it and the certificate
> chain in an Authorization header. You could even transition to it in TLS
> 1.2 de
On Monday, August 10, 2015 01:10:38 pm Andrei Popov wrote:
> > What sort of usecase you have in mind for this?
>
> This is to support a fairly common website design where the landing page does
> not require client auth, but subsequent request to a protected resource
> triggers client authenticati
