Ah how about
Client-Cert HTTP Header Field: Conveying Client Certificate Information from TLS Terminating Reverse Proxies to Origin Server Applications
For tonight’s light reading
Brian Campbell produces a lot of interesting things. Let’s see what’s inside.
Hooray, some attention is being given to mutual TLS
Client-Cert should only be used for the client that connects to a trusted network.
Remember how confusing X-Forwarded-For can get?
And how you have to pay cloudflare to actually give you the right one in another header?
I once tried to put RSA PGP keys into DNS. Didn’t go well.
I can see the same happening here. Time to ditch rsa for Ed25519, Ed448
I love it when examples have copy and paste examples
But maybe I’ve seen too much base64 to recognize them like faces.
I hope they permit the whole certificate chain.
It’s not enough in my eyes to just trust the endpoint.
Blocking the application capability to inspect and verify a certified public key to a trust anchor may be a significant barrier for regulated environments.
Overall, I like the simplicity this offers, I agree with the justification that it be separate from the Forwarded RFC 7239 (which I did not know about) due to complicity. Manipulating headers on the edge is such a pain.
I hope this draft improves and includes the full chain
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.