Prohibit client certs from being used with Opp-Sec

[enygren]

Another post-WGLC feedback item that came up from one of our security researchers which
is not covered in the doc is client certs. Do we need any guidance on them in the doc?
Should we say that clients MUST NOT send them for connections being used for HTTP-scheme
requests? Or only send them after an origin has opted-in with a .well-known/http-encryption response
over a strongly authenticated connection?

The risk comes from an unauthenticated active adversary Alt-Svc'ing a client to a server
to which the client is sending client certs for HTTPS but where the server is not
multi-scheme aware and hasn't opted in. There is the potential for the server to
have a perception of HTTPS client-cert authenticated requests when the client may
be thinking it is making HTTP requests which may have had some cookies
or other elements injected by the active MitM under the cleartext HTTP side.

From @martinthomson on http-wg discussion:

I would be happy saying that you can't use client certs. That is,
unless you were using them for HTTPS requests and the connection
happened to be shared.

[mnot]

How about something like:

Client certificates are not meaningful for URLs with the "http" scheme, and therefore clients creating new TLS connections to alternative services for the purposes of this specification MUST NOT present them. Established connections with client certificates MAY be reused, however.

[martinthomson]

WFM