Hi Tim, Based on my experience client authentication should be largely out of scope except for the issues such as hints list and how client selects the certificate to be presented.
Most of the other issues I see on the Server side when authenticating the client certificate are generic PK enablement issues and not specific to Web. -----Original Message----- From: wpkops-boun...@ietf.org [mailto:wpkops-boun...@ietf.org] On Behalf Of Tim Moses Sent: Friday, August 31, 2012 11:52 AM To: wpkops@ietf.org Subject: Re: [wpkops] Second draft charter proposal All - I have no fundamental objection to expanding the scope in the ways suggested. It's true that the original idea was to limit the scope to server-auth to Web browsers. That's because vulnerabilities have been demonstrated and the impact can clearly be severe. Do those conditions exist for client-auth and CalDAV? If not, I might assign them lower priority. On the other hand, if they impact the workload by no more than (say) 10%, why wouldn't we include them? I think it's important to remember that increased workload must be borne not just by the editors but also by the reviewers (every subscriber to the mail-list). All the best. Tim. -----Original Message----- From: wpkops-boun...@ietf.org [mailto:wpkops-boun...@ietf.org] On Behalf Of Carl Wallace Sent: Thursday, August 30, 2012 12:31 PM To: Jon Callas; wpkops@ietf.org Subject: Re: [wpkops] Second draft charter proposal On 8/30/12 12:28 PM, "Jon Callas" <joncal...@me.com> wrote: >On Aug 30, 2012, at 9:18 AM, Carl Wallace wrote: > >>> And for issuers, it can be difficult to predict what proportion of >>> the user population will accept a certificate chain with certain >>> characteristics. For instance, when a browser includes a nonce in >>> an OCSP request but the server supplies a response that does not >>> include the nonce, it is hard to know which browsers will accept and >>> which will reject the response. >>> >>> >>> >> >> Is client authentication processing performed by web servers in scope? >>If >> not, explicitly push that out of scope. > >It would be nice if it were in scope. Client authorization is a vastly >under-used feature. > >I wouldn't want to endanger everything else over it, but if we keep >sweeping it under the rug, it will continue to languish. I agree and would like to see it stay in scope as well. _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops