undefined | Better HN

0 pointsbawolff3y ago0 comments

> but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.

Or you know, like oauth.

Or if you want to really play up the credential angle, how tls client certificates work, if anyone would ever use them.

0 comments

judge20203y ago

Perhaps TLS client certificates are unpopular because pretty much everyone uses some sort of anti-ddos or caching server in front of their services (cloud load balancers, fastly, akamai, cloudflare) so any TLS client certificate authentication and validation has to be baked into the service[0] (another possibility could be the service encoding the client's information and shipping it to the origin server via headers).

Another options for companies is only signing request bodies and validating a request signature in the header like discord does[1].

0: https://developers.cloudflare.com/api-shield/security/mtls/c...

1: https://discord.com/developers/docs/interactions/receiving-a...

bawolffOP3y ago

TLS client certs were unpopular way before external TLS termination became popular.

Besides, it would be fairly easy to implement at a cdn layer. Just give it a list of valid CAs, and have it set some header.

The real reason is that UI challenges for client certs are really hard. You can see it in the fact that people actual do use client certs in server to server communication (e.g. like between cache and backend)

nibbleshifter3y ago

Having worked with TLS client certificates before, I like them, but I wouldn't inflict them on anyone else.

j / k navigate · click thread line to collapse