Right now we don't have an explicit correlation between this and the CERTIFICATE_NEEDED frame, which I think is OK, but it means that a server has to process USE_CERTIFICATE with no expectation of it actually addressing its requirements as expressed. Basically, it has to decide to authorize the request or not on the merits of what it has.
That potentially leads to a race: client thinks certificate X is what this request needs, so it sends USE_CERTIFICATE(X) after the HEADERS. Server receives the request, decides that it wants a certificate, so it sends CERTIFICATE_NEEDED and CERTIFICATE_REQUEST as soon as it processes HEADERS. Then, when the server receives the USE_CERTIFICATE(X), it decides to reject the request. The client sees the CERTIFICATE_NEEDED/CERTIFICATE_REQUEST, answers the request with CERTIFICATE(Y)/USE_CERTIFICATE(Y), but then finds the next thing it receives is a 4xx status code.
It is possible to trace the USE_CERTIFICATE(X) back to the CERTIFICATE and any CERTIFICATE_REQUEST that was made to discover that this isn't in fact a response to the CERTIFICATE_NEEDED that the server made, but it's a pretty long path to follow. Should we describe that case?
Right now we don't have an explicit correlation between this and the CERTIFICATE_NEEDED frame, which I think is OK, but it means that a server has to process USE_CERTIFICATE with no expectation of it actually addressing its requirements as expressed. Basically, it has to decide to authorize the request or not on the merits of what it has.
That potentially leads to a race: client thinks certificate X is what this request needs, so it sends USE_CERTIFICATE(X) after the HEADERS. Server receives the request, decides that it wants a certificate, so it sends CERTIFICATE_NEEDED and CERTIFICATE_REQUEST as soon as it processes HEADERS. Then, when the server receives the USE_CERTIFICATE(X), it decides to reject the request. The client sees the CERTIFICATE_NEEDED/CERTIFICATE_REQUEST, answers the request with CERTIFICATE(Y)/USE_CERTIFICATE(Y), but then finds the next thing it receives is a 4xx status code.
It is possible to trace the USE_CERTIFICATE(X) back to the CERTIFICATE and any CERTIFICATE_REQUEST that was made to discover that this isn't in fact a response to the CERTIFICATE_NEEDED that the server made, but it's a pretty long path to follow. Should we describe that case?