I would like to see us 'do' something 'about' client authentication. But I don't see much of a client PKI out there to be operated, I think we are going to have to 'build stuff' to fix it. So I don't think its a PKI operations issue.
I would prefer to see a separate, security area WG to look into the client ops side. In particular I don't want to spend time trying to work out how to automate the 'certificate lifecycle' premised on the idea that client certs expire on an annual basis in a group where we can't ask why the cert has to expire. On Thu, Aug 30, 2012 at 12:31 PM, Carl Wallace <[email protected]> wrote: > On 8/30/12 12:28 PM, "Jon Callas" <[email protected]> wrote: > >>On Aug 30, 2012, at 9:18 AM, Carl Wallace wrote: >> >>>> And for issuers, it can be difficult to predict what proportion of the >>>> user population will accept a certificate chain with certain >>>> characteristics. For instance, when a browser includes a nonce in an >>>> OCSP request but the server supplies a >>>> response that does not include the nonce, it is hard to know which >>>> browsers will accept and which will reject the response. >>>> >>>> >>>> >>> >>> Is client authentication processing performed by web servers in scope? >>>If >>> not, explicitly push that out of scope. >> >>It would be nice if it were in scope. Client authorization is a vastly >>under-used feature. >> >>I wouldn't want to endanger everything else over it, but if we keep >>sweeping it under the rug, it will continue to languish. > > I agree and would like to see it stay in scope as well. > > > _______________________________________________ > wpkops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/wpkops -- Website: http://hallambaker.com/ _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
