From 9bcc3a7533e140a5ce3ea4d0b37b7de3907df50f Mon Sep 17 00:00:00 2001
From: Arko Dasgupta <arko@tetrate.io>
Date: Wed, 31 May 2023 16:12:03 -0700
Subject: [PATCH] GEP: Client Certificate Validation for TLS terminating at the
 Gateway Listener

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
---
 geps/gep-91.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 geps/gep-91.md

diff --git a/geps/gep-91.md b/geps/gep-91.md
new file mode 100644
index 0000000000..13fee63e4a
--- /dev/null
+++ b/geps/gep-91.md
@@ -0,0 +1,22 @@
+# GEP-91: Client Certificate Validation for TLS terminating at the Gateway Listener
+
+* Issue: [#91](https://github.com/kubernetes-sigs/gateway-api/issues/91)
+* Status: Provisional
+
+(See definitions in [GEP Status][/contributing/gep#status].)
+
+## TLDR
+
+This GEP proposes a way to validate the TLS certificate presented by the downstream client to the server
+(Gateway Listener in this case) during a [TLS Handshake Protocol][], also commonly referred to as mutual TLS (mTLS).
+
+## Goals
+- Define an API field to specify the CA Certificate within the Gateway Listener configuration that can be used as a trusted anchor to validate the certificates presented by the client.
+
+## Non-Goals
+- Define other fields that can be used to verify the client certificate such as the Cerificate Hash or Subject Alt Name. 
+
+## References
+
+[TLS Handshake Protocol]: https://www.rfc-editor.org/rfc/rfc5246#section-7.4
+[Certificate Path Validation]: https://www.rfc-editor.org/rfc/rfc5280#section-6