mTLS Client Authentication by Signing Arbitrary Message using Browser

Question

this is my first post here in the area of ​​security and encryption. I will try to be succinct, and let you know that I am not an expert in security.

Context: My client (visitor) has an X509 certificate installed on his machine, containing its public and private key. This certificate attests to who he is as a person.

Problem: I recently found that I can use mTLS to authenticate this client to my platform, and be assured that he has accessed. However, I have some questions about this process:

1. Can I use this certificate to sign an arbitrary string? I saw for example the use of "session tickets", but I don't know if I could sign this way
2. How can I retrieve the session data to save to the database that actually at this specific moment, that user accessed and authenticated to the platform? It would be more or less to create a signed snapshot of the request made, and guarantee for posterity that the holder of such certificate actually initiated that request

Thank you very much

Answer 1

TLS (including client certificate authentication in TLS) does not provide non-repudiation. With client certificate authentication, the client signs the session (which is part of the TLS handshake), as you mention in your question. But, this cannot be used to later go back and prove that the client signed an HTTP request that it made to your server.

See https://crypto.stackexchange.com/questions/5455/does-a-trace-of-ssl-packets-provide-a-proof-of-data-authenticity for some interesting reading on this subject (especially the answer by Thomas Pornin).