Hi all, So as David mentioned, this doesn't really offer anything for human clients, and is aimed at reliably distinguishing between bots. To be honest it might be better that browsers not implement it, because that massively increases the number of potential users, and thus the noise we get from the hint.
I wasn't aware that some devices ask for a cert and then choke if you send one, although that sounds like a misconfigured server to me. There is an argument for echoing the flag back to the client, which is to distinguish the case where the server wants a client cert for other reasons, and the case where it supports and honours this flag. I decided not to include it though because I couldn't think of a plausible situation where knowing that information would be useful. I guess the "misconfigured servers exist" use case is plausible, so I'm open to including it, but it seems to me that all it will do is produce a new generation of differently misconfigured servers that set this flag and choke when you send them a cert. Regards, Jonathan P.S. mTLS is simply a shorthand for establishing a TLS session with bilateral authentication. I could write that out in full every time, but it doesn't add anything. On Wed, 25 Oct 2023, 11:48 Peter Gutmann, <pgut...@cs.auckland.ac.nz> wrote: > Viktor Dukhovni <ietf-d...@dukhovni.org> writes: > > >I think what you're really saying, is that it may be time replace the > extant > >client certificate request message with a completely new one, because the > old > >one is ossified. > > No, just have the server echo back the cert-auth flag from the client to > indicate that it really wants to do this. > > Either that or mention in the RFC that some servers will send a cert > request > no matter what, so getting a cert request in response to an mTLS flag [*] > doesn't necessarily mean that the server is expecting cert auth. Adding > the > note at least makes it Someone Else's Problem. > > Peter. > > [*] Why is it called mTLS? It's just TLS, mTLS doesn't add anything new > that > hasn't been in there for decades. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
