Ah how about

Client-Cert HTTP Header Field: Conveying Client Certificate Information from TLS Terminating Reverse Proxies to Origin Server Applications

For tonight’s light reading
Brian Campbell produces a lot of interesting things. Let’s see what’s inside.
Hooray, some attention is being given to mutual TLS
Client-Cert should only be used for the client that connects to a trusted network.
Remember how confusing X-Forwarded-For can get?
And how you have to pay cloudflare to actually give you the right one in another header?
I once tried to put RSA PGP keys into DNS. Didn’t go well.
I can see the same happening here. Time to ditch rsa for Ed25519, Ed448
I love it when examples have copy and paste examples
But maybe I’ve seen too much base64 to recognize them like faces.
I hope they permit the whole certificate chain.
It’s not enough in my eyes to just trust the endpoint.
Blocking the application capability to inspect and verify a certified public key to a trust anchor may be a significant barrier for regulated environments.
Overall, I like the simplicity this offers, I agree with the justification that it be separate from the Forwarded RFC 7239 (which I did not know about) due to complicity. Manipulating headers on the edge is such a pain.

I hope this draft improves and includes the full chain

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Cendyne

Cendyne Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @CendyneNaga

10 Jun
Tonight’s light reading

OAuth 2.0 Authorization Server Issuer Identification
Okay, so this is something that addresses the conversation in GNAP right now.
A mix-up attack is where a client, which interacts with multiple AS uses one that has become compromised (AAS) and it is proxying & rewriting from an uncompromised AS (HAS)
I wish acronyms weren’t explained more often
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!