Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Abstracts are small #575

Merged
merged 2 commits into from
Apr 13, 2018
Merged

Abstracts are small #575

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d2c7720
Abstracts are small
MikeBishop Apr 9, 2018
85db409
a single
MikeBishop Apr 13, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 11 additions & 19 deletions draft-ietf-httpbis-http2-secondary-certs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,24 +45,10 @@ informative:

--- abstract

TLS provides fundamental mutual authentication services for HTTP, supporting up
to one server certificate and up to one client certificate associated to the
session to prove client and server identities as necessary. This draft provides
mechanisms for providing additional such certificates at the HTTP layer when
these constraints are not sufficient.

Many HTTP servers host content from several origins. HTTP/2 permits clients to
reuse an existing HTTP connection to a server provided that the secondary origin
is also in the certificate provided during the TLS handshake.

In many cases, servers will wish to maintain separate certificates for different
origins but still desire the benefits of a shared HTTP connection. Similarly,
servers may require clients to present authentication, but have different
requirements based on the content the client is attempting to access.

This document describes how TLS exported authenticators can be used to provide
proof of ownership of additional certificates to the HTTP layer to support both
scenarios.
A use of TLS Exported Authenticators is described which enables HTTP/2 clients
and servers to offer additional certificate-based credentials after the
connection is established. The means by which these credentials are used with
requests is defined.

--- note_Note_to_Readers

Expand All @@ -80,7 +66,7 @@ code and issues list for this draft can be found at

HTTP clients need to know that the content they receive on a connection comes
from the origin that they intended to retrieve in from. The traditional form of
server authentication in HTTP has been in the form of X.509 certificates
server authentication in HTTP has been in the form of a single X.509 certificate
provided during the TLS [RFC5246][I-D.ietf-tls-tls13] handshake.

Many existing HTTP [RFC7230] servers also have authentication requirements for
Expand All @@ -93,6 +79,12 @@ TLS 1.2 [RFC5246] supports one server and one client certificate on a
connection. These certificates may contain multiple identities, but only one
certificate may be provided.

Many HTTP servers host content from several origins. HTTP/2 permits clients to
reuse an existing HTTP connection to a server provided that the secondary origin
is also in the certificate provided during the TLS handshake. In many cases,
servers choose to maintain separate certificates for different origins but
still desire the benefits of a shared HTTP connection.

## Server Certificate Authentication

Section 9.1.1 of [RFC7540] describes how connections may be used to make
Expand Down