On 2012-08-30 18:31, Carl Wallace wrote: > On 8/30/12 12:28 PM, "Jon Callas" <[email protected]> wrote: > >> On Aug 30, 2012, at 9:18 AM, Carl Wallace wrote: >> >>>> And for issuers, it can be difficult to predict what proportion of the >>>> user population will accept a certificate chain with certain >>>> characteristics. For instance, when a browser includes a nonce in an >>>> OCSP request but the server supplies a >>>> response that does not include the nonce, it is hard to know which >>>> browsers will accept and which will reject the response. >>>> >>>> >>>> >>> >>> Is client authentication processing performed by web servers in scope? >>> If >>> not, explicitly push that out of scope. >> >> It would be nice if it were in scope. Client authorization is a vastly >> under-used feature. >> >> I wouldn't want to endanger everything else over it, but if we keep >> sweeping it under the rug, it will continue to languish. > > I agree and would like to see it stay in scope as well.
I'm not sure what client authorization and WebPKI has in common. Are you rather to for for example TLS client-certificate-authentication? Anders > > > _______________________________________________ > wpkops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/wpkops > _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
