Re: [httpwg/http-extensions] Stream-linking frames can reference Stream Zero (#586)

HTTP issue updates <http-issues@ietf.org> Thu, 24 May 2018 23:37 UTC

Date: Thu, 24 May 2018 16:37:04 -0700
To: httpwg/http-extensions <http-extensions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
In-Reply-To: <httpwg/http-extensions/pull/586@github.com>
References: <httpwg/http-extensions/pull/586@github.com>
Subject: Re: [httpwg/http-extensions] Stream-linking frames can reference Stream Zero (#586)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b074ca0cc5ab_b053fe6799d6f80114297"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-issues/RMG61sqgmJu9a7Q1g6c4h9gJO3w>
Message-ID: <mailman.911.1527205030.2697.http-issues@ietf.org>
From: HTTP issue updates <http-issues@ietf.org>
Reply-To: http-issues@ietf.org

martinthomson requested changes on this pull request.

This makes me convinced that we probably want to hold exported authenticators for a little while longer. See the big comment.

>
-If the server does not have the desired certificate, it MUST \[see issue #564].
-In this case, or if the server has not advertised support for HTTP-layer
-certificates, the client MUST NOT send any requests for resources in that origin
-on the current connection.
+If the server does not have the desired certificate, it MUST send an empty
+`USE_CERTIFICATE` frame for stream zero. In this case, or if the server has not

When you say empty, I think that you mean that the server sends an empty CERTIFICATE frame and then references that certificate when it wants to reject a CERTIFICATE_NEEDED request.

That is:

```
Client Sends:
CERTIFICATE_REQUEST (id=N) -->
CERTIFICATE_NEEDED (S=0, R=M) -->
...
Server can't answer, so:
<-- CERTIFICATE (Cert-ID=Q, <empty>)
<-- USE_CERTIFICATE (S=0, R=M)
```

The problem here is that the empty CERTIFICATE frame isn't bound in any way to the CERTIFICATE_REQUEST, unless your definition of "empty" isn't that the authenticator is completely absent, but that it includes a valid authenticator, but no certificate in the TLS Certificate message. Then the `certificate_request_context` can be used to correlate CERTIFICATE with CERTIFICATE_REQUEST in the usual fashion. That's how TLS does it - it sends Certificate without the certificate and omits the CertificateVerify message entirely if it doesn't want to authenticate. (I just realized that I used CERTIFICATE, Certificate and certificate in the same paragraph to mean three different things, which is not at all confusing.)

I just read exported authenticators again and I don't see that use case being addressed at all. @grittygrease should be aware of that given that TLSEA is in WGLC. I think that TLSEA needs to address that case one way or other. If the intent is to have the using application manage rejection, then it needs to be clear where the responsibility lies. However, I think that having authenticated rejection is superior and that should be expressly included in the draft with a description of how that is done.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/httpwg/http-extensions/pull/586#pullrequestreview-123206820

[httpwg/http-extensions] Stream-linking frames ca… HTTP issue updates
Re: [httpwg/http-extensions] Stream-linking frame… HTTP issue updates
Re: [httpwg/http-extensions] Stream-linking frame… HTTP issue updates
Re: [httpwg/http-extensions] Stream-linking frame… HTTP issue updates
Re: [httpwg/http-extensions] Stream-linking frame… HTTP issue updates
Re: [httpwg/http-extensions] Stream-linking frame… HTTP issue updates