Re: Client Certificates - re-opening discussion

Yoav Nir <> Mon, 21 September 2015 13:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BE7881B3178 for <>; Mon, 21 Sep 2015 06:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H3ldk-STee3X for <>; Mon, 21 Sep 2015 06:08:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 08B131B3175 for <>; Mon, 21 Sep 2015 06:08:22 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1Ze0mK-00012w-JD for; Mon, 21 Sep 2015 13:05:08 +0000
Resent-Date: Mon, 21 Sep 2015 13:05:08 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1Ze0mC-0007bc-0g for; Mon, 21 Sep 2015 13:05:00 +0000
Received: from ([]) by with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <>) id 1Ze0mA-0000Kh-AF for; Mon, 21 Sep 2015 13:04:59 +0000
Received: by wicgb1 with SMTP id gb1so113852156wic.1 for <>; Mon, 21 Sep 2015 06:04:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=187vqNnB8O8qDDIHkfjSbLwd1Sxuy//AXg8BGaUle10=; b=dw3XjZp6RNx2hIFq+JOOWhYZVHNPPSu0RDYuZ0qJy2wfONULChTmDFCO9QKif3HhIa FEH/2Shu3MktSlgJ0rBgTVIUiP516iywZtxoqWG1HFA72GXpB3S/n207zOtbGnyGbd1j 5T/40pT+32t2ixXi4ASCf5dRT6V0nRAnWGcE5nNkJmx/Of/CP1138IwkO5e7MNguXuoE krhMs/KocVOiFO5C56rO7gK6ZVHAwxg0cwhXKDvbpBk1uHHJ0PK4Wh8aKL6uTHa5NyW/ VqK6gzJQApXHOE5wAYG/UwoZcaiAVOuLYOGiCN9hYkc9UMbthmy7UUWncKGudHt6tQqc MhPw==
X-Received: by with SMTP id ev5mr12877232wib.15.1442840671805; Mon, 21 Sep 2015 06:04:31 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id gl4sm24044287wjb.29.2015. (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Sep 2015 06:04:30 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Mon, 21 Sep 2015 16:04:28 +0300
Cc: Mike Bishop <>, Eric Rescorla <>, Stefan Eissing <>, Ilari Liusvaara <>, Mark Nottingham <>, Henry Story <>, HTTP Working Group <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <20150918205734.GA23316@LK-Perkele-VII> <> <> <> <> <> <> <>
To: Kyle Rose <>
X-Mailer: Apple Mail (2.2104)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-0.732, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1Ze0mA-0000Kh-AF d036433635201c55242db581dd906ef5
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <>
X-Mailing-List: <> archive/latest/30245
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> On Sep 21, 2015, at 3:22 PM, Kyle Rose <> wrote:
>> Having the application layer stall doesn’t help. The client requests
>> resources A, B, and C. Resource B requires client authentication. By the
>> time the application stalls, waiting for the client authentication,
>> resources A and C may not have been noticed, or the requests may have been
>> serviced, with A and C in a buffer waiting to be encrypted, or the requests
>> may have been serviced and encrypted and on the way back to the client. A
>> and C may be received in the authenticated or the non-authenticated context.
>> Imagine, for example, that A is a bit of HTML that says “Hello, guest” in
>> the unauthenticated context, or “Hello, Mike” after authentication. You can
>> get the certificate picker and still see the “Hello, guest” on the page.
>> What’s more, I think HTTP authentication has the same issue. If one request
>> gets processed and generates a 401 with WWW-Authenticate, other resources
>> may or may not have been serviced. You can fix this by carefully designing
>> the application so that you don’t load resources that are different based on
>> state at the same time as the authentication is going on.
>> If multiple requests cause the server application to query the HTTP layer
>> for the client’s certificate, then all those requests will wait until the
>> client authentication has completed, just as they would have on a
>> non-multiplexed connection.  Where multiplexing adds a new wrinkle is that,
>> under HTTP/1.1, those connections that didn’t require authentication would
>> proceed without interruption until they’re used for a protected request.
> How did this work in practice with HTTP/1.1, with browsers having
> multiple simultaneous connections open to the same server?
> If I had to guess, I'd say that the primary resource requiring
> authentication was typically the root HTML for a page, which would
> then of course stall every subsequent request for subresources without
> any specific support required in the client: neither multiplexing H2
> nor simultaneous HTTP/1.1 connections would be subject to a race
> condition in this case, requests for the URLs from previously-loaded
> pages that vary on authentication notwithstanding.

Of course that’s how sane people built the web sites. If fact only the root HTML of some page (that you reached by clicking a button that said “Log in with a Certificate”) triggered renegotiation. After renegotiation on one particular connection, the server would plant a COOKIE, which would “bless” all the other connections.

The difference is that now the sane design is mandatory, else you get unpredictable results. A sane design works with renegotiation, #209 and HTTP-layer authentication.