IETF Logo Mail Archive

Re: Client Certificates - re-opening discussion

Yoav Nir <ynir.ietf@gmail.com> Mon, 21 September 2015 13:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE7881B3178 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 06:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3ldk-STee3X for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 06:08:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08B131B3175 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 Sep 2015 06:08:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ze0mK-00012w-JD for ietf-http-wg-dist@listhub.w3.org; Mon, 21 Sep 2015 13:05:08 +0000
Resent-Date: Mon, 21 Sep 2015 13:05:08 +0000
Resent-Message-Id: <E1Ze0mK-00012w-JD@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1Ze0mC-0007bc-0g for ietf-http-wg@listhub.w3.org; Mon, 21 Sep 2015 13:05:00 +0000
Received: from mail-wi0-f177.google.com ([209.85.212.177]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1Ze0mA-0000Kh-AF for ietf-http-wg@w3.org; Mon, 21 Sep 2015 13:04:59 +0000
Received: by wicgb1 with SMTP id gb1so113852156wic.1 for <ietf-http-wg@w3.org>; Mon, 21 Sep 2015 06:04:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=187vqNnB8O8qDDIHkfjSbLwd1Sxuy//AXg8BGaUle10=; b=dw3XjZp6RNx2hIFq+JOOWhYZVHNPPSu0RDYuZ0qJy2wfONULChTmDFCO9QKif3HhIa FEH/2Shu3MktSlgJ0rBgTVIUiP516iywZtxoqWG1HFA72GXpB3S/n207zOtbGnyGbd1j 5T/40pT+32t2ixXi4ASCf5dRT6V0nRAnWGcE5nNkJmx/Of/CP1138IwkO5e7MNguXuoE krhMs/KocVOiFO5C56rO7gK6ZVHAwxg0cwhXKDvbpBk1uHHJ0PK4Wh8aKL6uTHa5NyW/ VqK6gzJQApXHOE5wAYG/UwoZcaiAVOuLYOGiCN9hYkc9UMbthmy7UUWncKGudHt6tQqc MhPw==
X-Received: by 10.180.100.37 with SMTP id ev5mr12877232wib.15.1442840671805; Mon, 21 Sep 2015 06:04:31 -0700 (PDT)
Received: from [172.24.250.111] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id gl4sm24044287wjb.29.2015.09.21.06.04.29 (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Sep 2015 06:04:30 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com>
Date: Mon, 21 Sep 2015 16:04:28 +0300
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Eric Rescorla <ekr@rtfm.com>, Stefan Eissing <stefan.eissing@greenbytes.de>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com>
To: Kyle Rose <krose@krose.org>
X-Mailer: Apple Mail (2.2104)
Received-SPF: pass client-ip=209.85.212.177; envelope-from=ynir.ietf@gmail.com; helo=mail-wi0-f177.google.com
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-0.732, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Ze0mA-0000Kh-AF d036433635201c55242db581dd906ef5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30245
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> On Sep 21, 2015, at 3:22 PM, Kyle Rose <krose@krose.org> wrote:
> 
>> Having the application layer stall doesn’t help. The client requests
>> resources A, B, and C. Resource B requires client authentication. By the
>> time the application stalls, waiting for the client authentication,
>> resources A and C may not have been noticed, or the requests may have been
>> serviced, with A and C in a buffer waiting to be encrypted, or the requests
>> may have been serviced and encrypted and on the way back to the client. A
>> and C may be received in the authenticated or the non-authenticated context.
>> Imagine, for example, that A is a bit of HTML that says “Hello, guest” in
>> the unauthenticated context, or “Hello, Mike” after authentication. You can
>> get the certificate picker and still see the “Hello, guest” on the page.
>> 
>> What’s more, I think HTTP authentication has the same issue. If one request
>> gets processed and generates a 401 with WWW-Authenticate, other resources
>> may or may not have been serviced. You can fix this by carefully designing
>> the application so that you don’t load resources that are different based on
>> state at the same time as the authentication is going on.
>> 
>> If multiple requests cause the server application to query the HTTP layer
>> for the client’s certificate, then all those requests will wait until the
>> client authentication has completed, just as they would have on a
>> non-multiplexed connection.  Where multiplexing adds a new wrinkle is that,
>> under HTTP/1.1, those connections that didn’t require authentication would
>> proceed without interruption until they’re used for a protected request.
> 
> How did this work in practice with HTTP/1.1, with browsers having
> multiple simultaneous connections open to the same server?
> 
> If I had to guess, I'd say that the primary resource requiring
> authentication was typically the root HTML for a page, which would
> then of course stall every subsequent request for subresources without
> any specific support required in the client: neither multiplexing H2
> nor simultaneous HTTP/1.1 connections would be subject to a race
> condition in this case, requests for the URLs from previously-loaded
> pages that vary on authentication notwithstanding.

Of course that’s how sane people built the web sites. If fact only the root HTML of some page (that you reached by clicking a button that said “Log in with a Certificate”) triggered renegotiation. After renegotiation on one particular connection, the server would plant a COOKIE, which would “bless” all the other connections.

The difference is that now the sane design is mandatory, else you get unpredictable results. A sane design works with renegotiation, #209 and HTTP-layer authentication.

Yoav

v2.23.0 | Report a Bug | By Email