Hacker News new | ask | show | jobs
by bawolff 1423 days ago
> but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.

Or you know, like oauth.

Or if you want to really play up the credential angle, how tls client certificates work, if anyone would ever use them.
2 comments
judge2020 1423 days ago
Perhaps TLS client certificates are unpopular because pretty much everyone uses some sort of anti-ddos or caching server in front of their services (cloud load balancers, fastly, akamai, cloudflare) so any TLS client certificate authentication and validation has to be baked into the service[0] (another possibility could be the service encoding the client's information and shipping it to the origin server via headers).

Another options for companies is only signing request bodies and validating a request signature in the header like discord does[1].

0: https://developers.cloudflare.com/api-shield/security/mtls/c...

1: https://discord.com/developers/docs/interactions/receiving-a...

link
bawolff 1423 days ago
TLS client certs were unpopular way before external TLS termination became popular.

Besides, it would be fairly easy to implement at a cdn layer. Just give it a list of valid CAs, and have it set some header.

The real reason is that UI challenges for client certs are really hard. You can see it in the fact that people actual do use client certs in server to server communication (e.g. like between cache and backend)

link
nibbleshifter 1423 days ago
Having worked with TLS client certificates before, I like them, but I wouldn't inflict them on anyone else.
link