On Sun, May 7, 2017 at 4:44 PM, Eric Rescorla <[email protected]> wrote: > > Hmm... What about when you have post-handshake auth that retroactively > blesses requests that should have been anonymous? >
TLS client auth doesn't retroactively apply. so yeah, when I said every request on that conn I should have said every request on that conn while it is authenticated (and it can change and whatnot, not trying to write a taxonomy here.). windows auth has a similar property that it starts with an unauthenticated connection and a http response at any point could choose to start the authentication dance - but it doesn't apply backwards. You can see why the mulitplexing of h2 booted all this stuff off the island. _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
