TLS client certificate with HTTP mode

[edudev]

TL;DR: Do you think TLS client certificates with HTTP mode are a needed feature?

I'm new to OwnTracks and have been going through the booklet.

One thing I noticed is that it stresses the great security built into OwnTracks.
However, once I started tinkering, I noticed that the only possible way to authenticate in HTTP mode is through Basic authentication (which is reasonably okay, as long as one is using HTTPS).

I also know that TLS client certificates are supported in MQTT mode, but the booklet also discourages this mode for Android devices (though no reasoning is provided).

I would really like to see HTTPS client certificates in the Android app (and really, keys & certificates should be managed by the OS, but I already saw an open ticket for that).

[growse]

mTLS is an interesting one, because you've highlighted a place where you can do something in MQTT mode, but you can't do it in HTTP mode. In that pure, feature-parity sense, I think it's a reasonable ask.

On the other hand, I think there's a couple of issues with mTLS support in general:

1. It's more complex. Both in terms of code on the client, but also managing the CA, debugging what's gone wrong when there's an issue etc. (there's so many more failure modes).
2. I'm not convinced it actually buys you much. mTLS is generally useful for doing server-to-server authentication, where a single org controls a fixed number of static-ish systems that need to authenticate to each other. In the case of OT, we're trying to authenticate the end user, who needs to know and be able to manage their credentials - in that sense, a client cert is just an inconvenient password. The main benefit I can see would be that on some devices the certificate secret can be managed more securely by the device itself, rather than just being stored in an app preference. If that's a thing that people need, then that's a stronger case for implementing.