That sounds fair enough. My request was that if client auth was not in scope that it be explicitly called out as out of scope. I'm more interested in seeing documentation of the overlap/reuse of Web PKI components for enterprise and non-browser purposes being included as in scope since this is often a source of pain.
On 9/4/12 12:28 PM, "Phillip Hallam-Baker" <[email protected]> wrote: >I would like to see us 'do' something 'about' client authentication. > >But I don't see much of a client PKI out there to be operated, I think >we are going to have to 'build stuff' to fix it. So I don't think its >a PKI operations issue. > >I would prefer to see a separate, security area WG to look into the >client ops side. In particular I don't want to spend time trying to >work out how to automate the 'certificate lifecycle' premised on the >idea that client certs expire on an annual basis in a group where we >can't ask why the cert has to expire. > >On Thu, Aug 30, 2012 at 12:31 PM, Carl Wallace ><[email protected]> wrote: >> On 8/30/12 12:28 PM, "Jon Callas" <[email protected]> wrote: >> >>>On Aug 30, 2012, at 9:18 AM, Carl Wallace wrote: >>> >>>>> And for issuers, it can be difficult to predict what proportion of >>>>>the >>>>> user population will accept a certificate chain with certain >>>>> characteristics. For instance, when a browser includes a nonce in an >>>>> OCSP request but the server supplies a >>>>> response that does not include the nonce, it is hard to know which >>>>> browsers will accept and which will reject the response. >>>>> >>>>> >>>>> >>>> >>>> Is client authentication processing performed by web servers in scope? >>>>If >>>> not, explicitly push that out of scope. >>> >>>It would be nice if it were in scope. Client authorization is a vastly >>>under-used feature. >>> >>>I wouldn't want to endanger everything else over it, but if we keep >>>sweeping it under the rug, it will continue to languish. >> >> I agree and would like to see it stay in scope as well. >> >> >> _______________________________________________ >> wpkops mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/wpkops > > > >-- >Website: http://hallambaker.com/ > _______________________________________________ wpkops mailing list [email protected] https://www.ietf.org/mailman/listinfo/wpkops
