A few concerns I have with this extension: 1. Privacy: clients broadcasting intent to identify themselves to anyone who asks. I know, this is intended for crawler bots, but the TLS stack does not know whether our caller is a bot, so we will have to implement API support, which will be used by various apps/services. 2. Broadcasting intent to send a client cert before knowing the CerrtificateRequest parameters is contrary to the design of TLS client auth. What if the available client cert does not match the future CertificateRequest? 3. The stated goal is to use this extension to selectively interrogate crawler bots. This extension will only be useful for this purpose until general Web apps start using it. Which they will do, once TLS stacks are updated to support the new extension.
Doesn't the proposed extension facilitate surveillance by letting an unauthenticated TLS sever know that the client is willing to divulge its identity, and that querying client identity won't disrupt the flow or cause any notification to the user? Cheers, Andrei ________________________________ From: TLS <tls-boun...@ietf.org> on behalf of Ilari Liusvaara <ilariliusva...@welho.com> Sent: Tuesday, November 7, 2023 3:36 PM To: <tls@ietf.org> <tls@ietf.org> Subject: [EXTERNAL] Re: [TLS] Request mTLS Flag On Mon, Oct 23, 2023 at 12:26:03PM -0400, David Benjamin wrote: > > So in my mind this is something that will (almost) never be sent by > browsers. > > What cases would the "(almost)" kick in? This extensions model just doesn't > match how client certificates work in browsers. I'm not seeing any > interpretation beyond "always send" or "never send". Explicit configuration to send this for some names/domains. Needed for some "enterprise" use cases (can also pop up in much smaller corporate contexts). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C01%7CAndrei.Popov%40microsoft.com%7Cb542a7f746b74d5d539508dbdf9efbfe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638349646193968016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9sTyFEtT1T3jmXmxjjFGAj39PbEms6IQfC1l1fX0Gug%3D&reserved=0<https://www.ietf.org/mailman/listinfo/tls>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
