Re: Client Certificates - re-opening discussion

Stefan Eissing <stefan.eissing@greenbytes.de> Tue, 22 September 2015 09:12 UTC

Resent-Date: Tue, 22 Sep 2015 09:09:01 +0000
Resent-Message-Id: <E1ZeJZN-00041M-NX@frink.w3.org>
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Stefan Eissing <stefan.eissing@greenbytes.de>
In-Reply-To: <CY1PR03MB137427E0C66A2297C844DDBF87460@CY1PR03MB1374.namprd03.prod.outlook.com>
Date: Tue, 22 Sep 2015 11:08:31 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F2A23F97-E114-40D3-8691-84CB7B54A791@greenbytes.de>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de> <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com> <4456BAAA-125B-4038-AAC7-77A20F0C75B1@co-operating.systems> <CAJU8_nV4=iPowBOysL9Wz5Wyrm4OiKs0J4s6E 3fmCQmv9=MyHw@mail.gmail.com> <C874EAAC-FF26-42C6-BB6C-5785A6508664@bblfish.net> <CY1PR03MB137427E0C66A2297C844DDBF87460@CY1PR03MB1374.namprd03.prod.outlook.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Received-SPF: pass client-ip=217.91.35.233; envelope-from=stefan.eissing@greenbytes.de; helo=mail.greenbytes.de
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/F2A23F97-E114-40D3-8691-84CB7B54A791@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

> Am 21.09.2015 um 20:23 schrieb Mike Bishop <Michael.Bishop@microsoft.com>:
> 
> I have no issue with defining something at the application layer that becomes a viable alternative to move toward.  In the meantime, though, we want a way for applications built on the old/current model to use HTTP/2.

Thanks, Mike. My feelings exactly.

We want sites to enable HTTP/2. We do not want them to crash and go down in flames, because the existing HTTP/1 config was not suitable. We'd like predictable (or at least defined) behaviour of clients when running into whatever the server sends back in such scenarios.


In order to completely avoid renegotiations on HTTP/2 (and I think we all agree on that), one approach would be to force the client back to HTTP/1.1 using another (new or open) connection. The response should indicate the realm where this restriction applies.

Note that servers may be unable to trigger client certs on connection setup. This often happens on the first request, triggering a renegotiation. Often specific TLS parameters only apply to special locations on a server (in existing configurations - I do not say that this is a good approach).

This may be done by extending the 421 response with additional headers to indicate the desired behaviour. It would be good to hear from people on the client side what their thoughts about this are.

//Stefan

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782

Client Certificates - re-opening discussion Mark Nottingham
Re: Client Certificates - re-opening discussion Martin Thomson
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Mark Nottingham
Re: Client Certificates - re-opening discussion Ilari Liusvaara
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Mike Belshe
Re: Client Certificates - re-opening discussion Mark Nottingham
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Ilari Liusvaara
Re: Client Certificates - re-opening discussion Eric Rescorla
Re: Client Certificates - re-opening discussion Ilari Liusvaara
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion Eric Rescorla
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Yoav Nir
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Yoav Nir
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Kyle Rose
Re: Client Certificates - re-opening discussion Yoav Nir
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion Kyle Rose
Re: Client Certificates - re-opening discussion Mike Belshe
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Stephen Farrell
Re: Client Certificates - re-opening discussion Kyle Rose
Re: Client Certificates - re-opening discussion Jason Greene
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion henry.story@bblfish.net
Re: Client Certificates - re-opening discussion Alex Rousskov
Re: Client Certificates - re-opening discussion Mark Nottingham
Re: Client Certificates - re-opening discussion Stefan Eissing
Re: Client Certificates - re-opening discussion Martin Thomson
RE: Client Certificates - re-opening discussion Mike Bishop
Re: Client Certificates - re-opening discussion Yoav Nir
Re: Client Certificates - re-opening discussion Ryan Hamilton