On Aug 30, 2012, at 9:18 AM, Carl Wallace wrote: >> And for issuers, it can be difficult to predict what proportion of the >> user population will accept a certificate chain with certain >> characteristics. For instance, when a browser includes a nonce in an >> OCSP request but the server supplies a >> response that does not include the nonce, it is hard to know which >> browsers will accept and which will reject the response. >> >> >> > > Is client authentication processing performed by web servers in scope? If > not, explicitly push that out of scope.
It would be nice if it were in scope. Client authorization is a vastly under-used feature. I wouldn't want to endanger everything else over it, but if we keep sweeping it under the rug, it will continue to languish. Jon _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops