Scope of server USE_CERTIFICATE frames is unclear #1092
Labels
Comments
|
Closing, as we're no longer working on secondary certs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All the examples of server
USE_CERTIFICATEframes show them applying to stream 0, which I guess means they ambiently apply to the entire connection, but there isn't clear specification text describing this. The draft in general does not clearly specify the semantics and timing of aUSE_CERTIFICATEframe, only alluding to problems in security considerations. (Incidentally, that section is missing an RFC6919 citation. ;-) )Questions of server certificate scope need to further consider whether HTTP authentication is simply a property of the
Hostheader and being willing to respond to the name, or whether the exact server certificate is relevant. In particular, it's unclear how this interacts with the tls-server-end-point channel binding, especially if the draft does not try to bind server certificates to streams. (Note that, if you do decide to bind them, the binding needs to be set before the request is sent, which makes the timing is quite different from client certificates.)The text was updated successfully, but these errors were encountered: