On 2012-09-04 18:28, Phillip Hallam-Baker wrote: > I would like to see us 'do' something 'about' client authentication. > > But I don't see much of a client PKI out there to be operated, I think > we are going to have to 'build stuff' to fix it. So I don't think its > a PKI operations issue.
http://www.w3.org/2012/webcrypto > > I would prefer to see a separate, security area WG to look into the > client ops side. In particular I don't want to spend time trying to > work out how to automate the 'certificate lifecycle' premised on the > idea that client certs expire on an annual basis in a group where we > can't ask why the cert has to expire. > > On Thu, Aug 30, 2012 at 12:31 PM, Carl Wallace > <[email protected]> wrote: >> On 8/30/12 12:28 PM, "Jon Callas" <[email protected]> wrote: >> >>> On Aug 30, 2012, at 9:18 AM, Carl Wallace wrote: >>> >>>>> And for issuers, it can be difficult to predict what proportion of the >>>>> user population will accept a certificate chain with certain >>>>> characteristics. For instance, when a browser includes a nonce in an >>>>> OCSP request but the server supplies a >>>>> response that does not include the nonce, it is hard to know which >>>>> browsers will accept and which will reject the response. >>>>> >>>>> >>>>> >>>> >>>> Is client authentication processing performed by web servers in scope? >>>> If >>>> not, explicitly push that out of scope. >>> >>> It would be nice if it were in scope. Client authorization is a vastly >>> under-used feature. >>> >>> I wouldn't want to endanger everything else over it, but if we keep >>> sweeping it under the rug, it will continue to languish. >> >> I agree and would like to see it stay in scope as well. >> >> >> _______________________________________________ >> wpkops mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/wpkops > > > _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
