This sounds a bit like draft-ietf-dance-client-auth. --Ben Schwartz ________________________________ From: Phillip Hallam-Baker <ph...@hallambaker.com> Sent: Tuesday, May 20, 2025 10:44 PM To: tls <tls@ietf.org> Subject: [TLS] Transparent TLS Client Auth (t2CA)
I have floated parts of this scheme in OAUTH and DANE. As we all know, TLS does Client auth in theory but the implementations are unusable for two reasons: 1) Issue of client side certs is a pain 2) The user interface asking the user to select I have floated parts of this scheme in OAUTH and DANE. As we all know, TLS does Client auth in theory but the implementations are unusable for two reasons: 1) Issue of client side certs is a pain 2) The user interface asking the user to select a certificate. Both problems could potentially be addressed by the emerging DNS handles infrastructure. At present, the authentication is OAUTH2 based. But TLS Client Authentication under a certificate validated under the DNS handle would be cleaner. So, I am looking for people interested in a side meeting in Madrid. Here is my current sketch: User gets handle from DNS Handle provider who (usually) also runs an OAUTH2 service under the ATprotocol profile and a private CA for the user. The root of the private CA is bound to the DNS zone by a TXT or TLSA record. Each device the user wants to use with their DNS handle gets issued its own client cert. Users can have multiple personas and the browser selects the certificate the user has assigned to the site asking for authentication. Net is that the user gets to authenticate to any site (supporting T2CA) under the DNS Handle and persona they have selected for their site without any additional hassle.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
