TLS Client Authentication

Overview [1] [2]#

TLS Client Authentication is when the the client (browser) uses a certificate to authenticate itself during the TLS Full Handshake within the CertificateRequest so that the TLS connection can use Mutual Authentication

In a "traditional" TLS Full Handshake the server is Authenticated to the Client but the TLS server does not know too much about the client.

There are several problems with TLS Client Authentication, which have impeded its adoption across the Web some of which are noted below.

Bad User Experience#

Obtaining a certificate usually requires interaction with a Certification Authority (CA), with a lengthy process for identifying the user, setting up an account with the CA, and at the very least dealing with the UI presented by the <keygen> tag. Most non-technical users don't understand the trust model behind CAs, and don't want to be bothered with questions about RSA key lengths, etc.

Another example is browser multi-login. Google, for example, allows multiple users to be logged into the same HTTP session. Today, Google uses this feature mostly to show users a little "fast account switching" widget at the top right of the page, but it's easy to imagine that some products like Calendar or Docs show an aggregate view of the data belonging to all logged-in accounts. TLS Client Authentication doesn't allow this use case, either.

Privacy Considerations#

Once a user has obtained a certificate, any site on the web can request TLS Client Authentication with that certificate. The user can now choose to not be logged in at all, or use the same Digital Identity at the new site that they use with other sites on the web. That is a poor choice. Creating different certificates for different sites makes the User Experience worse: Now the user is presented with a list of certificates every time they visit a web site requiring TLS Client Authentication.

TLS Client Authentication Data Leakage#

TLS is not the best privacy protecting protocol in that Server Name Indication leaks what DNS Domain the client connects to. There is also the failure to protect user information when using TLS Client Authentication mentioned, but it's likely that TLS Client Authentication is so rarely used, that this have not been on anyone's radar.

More Information#

There might be more information for this subject on one of the following: