search

MikeBishop / http2-certs

Enabling client certificate authentication in HTTP/2
3 stars 2 forks source link

Specific to certificates? #7

Open MikeBishop opened 8 years ago

MikeBishop commented 8 years ago

From Andrei:

all frame names etc. are very cert-specific. You may want to rename them “authenticators” or similar, and include auth type fields to accommodate e.g. raw keys or PSK. Or you could say non-certificate auth would have to use new frame types defined in a new spec.

I was initially uncertain that there was a use-case for proving multiple raw keys (since what we’re ultimately trying to prove with certs is a strong name binding), but coupled with DANE records as supporting data, I think you could get a name binding off a raw key as well. Browsers probably won’t support it, but that doesn’t mean the protocol couldn’t allow the flexibility to do it for IoT.

martinthomson commented 8 years ago

Ugh, DANE. We run the risk of being overly generic here. Let's just assume that it's a certificate and then do what TLS does and pack non-certificate things into certificates if it comes to that.

martinthomson commented 6 years ago

Addressed in the split.