Client-Cert HTTP Header Field: Conveying Client Certificate Information from TLS Terminating Reverse Proxies to Origin Server Applications
For tonight’s light reading
Brian Campbell produces a lot of interesting things. Let’s see what’s inside.
Hooray, some attention is being given to mutual TLS
Client-Cert should only be used for the client that connects to a trusted network.
Remember how confusing X-Forwarded-For can get?
And how you have to pay cloudflare to actually give you the right one in another header?
I once tried to put RSA PGP keys into DNS. Didn’t go well.
I can see the same happening here. Time to ditch rsa for Ed25519, Ed448
I love it when examples have copy and paste examples
But maybe I’ve seen too much base64 to recognize them like faces.
I hope they permit the whole certificate chain.
It’s not enough in my eyes to just trust the endpoint.
Blocking the application capability to inspect and verify a certified public key to a trust anchor may be a significant barrier for regulated environments.
Overall, I like the simplicity this offers, I agree with the justification that it be separate from the Forwarded RFC 7239 (which I did not know about) due to complicity. Manipulating headers on the edge is such a pain.
I hope this draft improves and includes the full chain
OAuth 2.0 Authorization Server Issuer Identification
Okay, so this is something that addresses the conversation in GNAP right now.
A mix-up attack is where a client, which interacts with multiple AS uses one that has become compromised (AAS) and it is proxying & rewriting from an uncompromised AS (HAS)