| rfc9440v4.txt | rfc9440.txt | |||
|---|---|---|---|---|
| skipping to change at line 301 ¶ | skipping to change at line 301 ¶ | |||
| client certificate (or lack thereof) can be conveyed by selecting | client certificate (or lack thereof) can be conveyed by selecting | |||
| response content as appropriate or with an HTTP 403 response, if the | response content as appropriate or with an HTTP 403 response, if the | |||
| certificate is deemed unacceptable for the given context. Note that | certificate is deemed unacceptable for the given context. Note that | |||
| TLS clients that rely on error indications at the TLS layer for an | TLS clients that rely on error indications at the TLS layer for an | |||
| unacceptable certificate will not receive those signals. | unacceptable certificate will not receive those signals. | |||
| When the value of the Client-Cert request header field is used to | When the value of the Client-Cert request header field is used to | |||
| select a response (e.g., the response content is access-controlled), | select a response (e.g., the response content is access-controlled), | |||
| the response MUST either be uncacheable (e.g., by sending Cache- | the response MUST either be uncacheable (e.g., by sending Cache- | |||
| Control: no-store) or be designated for selective reuse only for | Control: no-store) or be designated for selective reuse only for | |||
| subsequent requests with the same Client-Cert header value by sending | subsequent requests with the same Client-Cert header field value by | |||
| a "Vary: Client-Cert" response header. If a TTRP encounters a | sending a "Vary: Client-Cert" response header. If a TTRP encounters | |||
| response with a client-cert field name in the "Vary" header field, it | a response with Client-Cert or Client-Cert-Chain in the Vary header | |||
| SHOULD prevent the user agent from caching the response by | field (Section 12.5.5 of [HTTP]), it SHOULD prevent the user agent | |||
| transforming the value of the Vary response header field to "*". | from caching the response by transforming the value of the Vary | |||
| response header field to "*". | ||||
| Forward proxies and other intermediaries MUST NOT add the Client-Cert | Forward proxies and other intermediaries MUST NOT add the Client-Cert | |||
| or Client-Cert-Chain header fields to requests or modify an existing | or Client-Cert-Chain header fields to requests or modify an existing | |||
| Client-Cert or Client-Cert-Chain header field. Similarly, clients | Client-Cert or Client-Cert-Chain header field. Similarly, clients | |||
| MUST NOT employ the Client-Cert or Client-Cert-Chain header field in | MUST NOT employ the Client-Cert or Client-Cert-Chain header field in | |||
| requests. | requests. | |||
| 3. Deployment Considerations | 3. Deployment Considerations | |||
| 3.1. Header Field Compression | 3.1. Header Field Compression | |||
| skipping to change at line 623 ¶ | skipping to change at line 624 ¶ | |||
| is not at all unique to the functionality of this document; | is not at all unique to the functionality of this document; | |||
| therefore, it would be inappropriate for this document to define a | therefore, it would be inappropriate for this document to define a | |||
| one-off solution. Since a generic common solution does not currently | one-off solution. Since a generic common solution does not currently | |||
| exist, stripping and sanitizing the fields is the de facto means of | exist, stripping and sanitizing the fields is the de facto means of | |||
| protecting against field injection in practice. Sanitizing the | protecting against field injection in practice. Sanitizing the | |||
| fields is sufficient when properly implemented and is a normative | fields is sufficient when properly implemented and is a normative | |||
| requirement of Section 4. | requirement of Section 4. | |||
| B.2. The Forwarded HTTP Extension | B.2. The Forwarded HTTP Extension | |||
| The "Forwarded" HTTP header field defined in [RFC7239] allows proxy | The Forwarded HTTP header field defined in [RFC7239] allows proxy | |||
| components to disclose information lost in the proxying process. The | components to disclose information lost in the proxying process. The | |||
| TLS client certificate information of concern to this document could | TLS client certificate information of concern to this document could | |||
| have been communicated with an extension parameter to the Forwarded | have been communicated with an extension parameter to the Forwarded | |||
| field; however, doing so would have had some disadvantages that this | field; however, doing so would have had some disadvantages that this | |||
| document endeavored to avoid. The Forwarded field syntax allows for | document endeavored to avoid. The Forwarded field syntax allows for | |||
| information about a full chain of proxied HTTP requests, whereas the | information about a full chain of proxied HTTP requests, whereas the | |||
| Client-Cert and Client-Cert-Chain header fields of this document are | Client-Cert and Client-Cert-Chain header fields of this document are | |||
| concerned only with conveying information about the certificate | concerned only with conveying information about the certificate | |||
| presented by the originating client on the TLS connection to the TTRP | presented by the originating client on the TLS connection to the TTRP | |||
| (which appears as the server from that client's perspective) to | (which appears as the server from that client's perspective) to | |||
| End of changes. 2 change blocks. | ||||
| 6 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||