On Fri, Jun 30, 2017 at 05:53:10PM -0400, 'Vinicius Fortuna [vee-NEE-see.oos]' via Network Traffic Obfuscation wrote:
>
https://tools.ietf.org/html/draft-ietf-tls-exported-authenticator-02
>
>
> This document provides a way to authenticate one party of a Transport
> Layer Security (TLS) communication to another using a certificate
> after the session has been established. This allows both the client
> and server to prove ownership of additional identities at any time
> after the handshake has completed. This proof of authentication can
> be exported and transmitted out of band from one party to be
> validated by the other party.
Related to tls-exported-authenticator is Secondary Certificate
Authentication, which John Sarapata posted about in
https://groups.google.com/forum/#!topic/traffic-obf/bF61DndrA8I and
included a link to a talk by Nick Sullivan. The current version appears
to be
https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs-04
Many HTTP servers host content from several origins. HTTP/2
[RFC7540] permits clients to reuse an existing HTTP connection to a
server provided that the secondary origin is also in the certificate
provided during the TLS [I-D.ietf-tls-tls13] handshake.
In many cases, servers will wish to maintain separate certificates
for different origins but still desire the benefits of a shared HTTP
connection. Similarly, servers may require clients to present
authentication, but have different requirements based on the content
the client is attempting to access.
This document describes a how TLS exported authenticators
[I-D.ietf-tls-exported-authenticator] can be used to provide proof of
ownership of additional certificates to the HTTP layer to support
both scenarios.