Hi Bill, One of the issues with mTLS is the PKI burden on customers. There also is not a good way to convey both device and user in mTLS (e.g. you can't have independent authentications of user and device within the single mTLS exchange). Most of the customers we have spoken with have a preference to have both.
-Vinny -----Original Message----- From: Bill Woodcock <[email protected]> Sent: Tuesday, October 26, 2021 12:50 PM To: Alec Muffett <[email protected]> Cc: Vinny Parla (vparla) <[email protected]>; [email protected] Subject: Re: [dns-privacy] DoH Identity / Authentication... > On Oct 26, 2021, at 6:16 PM, Alec Muffett <[email protected]> wrote: > > > > On Tue, 26 Oct 2021, 17:10 Vinny Parla (vparla), > <[email protected]> wrote: > I would appreciate your thoughts/comments on this… > > > It sounds sensible to me. > > Please just make it usable via standard "curl" and/or amenable to standard > web load-balancing. > > Or simply ratify Auth/Basic and go from there? > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication I had initially been thinking that it would be good to support both web Auth and mutual TLS, but the more I talk with people about it, the more it looks like we should just do TLS. So in the absence of a really compelling argument for supporting both, along with all of the future overhead it entails, my current position is mutual TLS only. -Bill
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
