<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview [1] [2]
[{$pagename}] is when the the [client] ([browser]) uses a [certificate] to authenticate itself during the [TLS Full Handshake] within the [CertificateRequest] so that the [TLS] connection can use [Mutual Authentication]In a &quot;traditional&quot; [TLS Full Handshake] the [server] is [Authenticated] to the [Client] but the [TLS] [server] does not know too much about the [client].

There are several problems with [{$pagename}], which have impeded its adoption across the Web some of which are noted below.

!! Bad [User Experience]
Obtaining a certificate usually requires interaction with a Certification Authority (CA), with a lengthy process for identifying the user, setting up an account with the CA, and at the very least dealing with the UI presented by the &lt;keygen&gt; tag. Most non-technical users don't understand the trust model behind CAs, and don't want to be bothered with questions about RSA key lengths, etc.

Another example is [browser] multi-login. [Google], for example, allows multiple users to be logged into the same HTTP session. Today, Google uses this feature mostly to show users a little &quot;fast account switching&quot; widget at the top right of the page, but it's easy to imagine that some products like Calendar or Docs show an aggregate view of the data belonging to all logged-in accounts. [{$pagename}] doesn't allow this use case, either.

!! [Privacy Considerations]
Once a user has obtained a certificate, any site on the web can request [{$pagename}] with that [certificate]. The user can now choose to not be logged in at all, or use the same [Digital Identity] at the new site that they use with other sites on the web. That is a poor choice. Creating different certificates for different sites makes the [User Experience] worse: Now the user is presented with a list of [certificates] every time they visit a web site requiring [{$pagename}].

! [{$pagename}] [Data Leakage]
[TLS] is not the best [privacy] protecting [protocol] in that [Server Name Indication] leaks what [DNS Domain] the [client] connects to.  There is also the failure to protect user information when using [{$pagename}] mentioned, but it's likely that [{$pagename}] is so rarely used, that this have not been on anyone's radar.!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [TLS Client Authentication|http://www.browserauth.net/tls-client-authentication|target='_blank'] - based on information obtained 2018-11-01- 
* [#2] - [TLS Client Authentication On The Edge|https://blog.cloudflare.com/introducing-tls-client-auth/|target='_blank'] - based on information obtained 2017-11-01 
* [#3] - [TLS Client Authentication Leaks User Info (pre-TLS1.3)|https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html|target='_blank'] - based on information obtained 2018-11-01- 
* [#4] - [Transport_Layer_Security#Client-authenticated_TLS_handshake|Wikipedia:Transport_Layer_Security#Client-authenticated_TLS_handshake|target='_blank'] - based on information obtained 2018-11-01- 
</pre>