IETF Logo Mail Archive

Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2

Cory Benfield <cory@lukasa.co.uk> Fri, 24 June 2016 08:33 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7A112D8EF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Jun 2016 01:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.347
X-Spam-Level:
X-Spam-Status: No, score=-8.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lukasa-co-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-hoqtem9ixh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Jun 2016 01:33:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B110E12D9EC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 24 Jun 2016 01:33:27 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bGMUO-0003vy-LB for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Jun 2016 08:29:24 +0000
Resent-Date: Fri, 24 Jun 2016 08:29:24 +0000
Resent-Message-Id: <E1bGMUO-0003vy-LB@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <cory@lukasa.co.uk>) id 1bGMUJ-0003vH-CI for ietf-http-wg@listhub.w3.org; Fri, 24 Jun 2016 08:29:19 +0000
Received: from mail-wm0-f53.google.com ([74.125.82.53]) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <cory@lukasa.co.uk>) id 1bGMUE-0005ly-WA for ietf-http-wg@w3.org; Fri, 24 Jun 2016 08:29:16 +0000
Received: by mail-wm0-f53.google.com with SMTP id r201so15128485wme.1 for <ietf-http-wg@w3.org>; Fri, 24 Jun 2016 01:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lukasa-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=t3BuO9M6kRYSZu/BHhVJYNOmDcy3bJPYHrB1NduTu4I=; b=WvZosi8Ft+6KdWiVaQsIpoSG6zOZ5b09FePfJYUbBqEr0CHZxmjxP1INICtgeH5v1Q cyHvStQy8fjIqX/BlVrfyhEpOeJ7J2Z71yVcHztd2hp50VLUA3lry8oWSqtFt0HBAmVe XW/VPTdZKkAUci+XwhJoFvGh760BRw0pT/xyFlENbK8DU4KcvvSSL13v8lF4sVspQ7vF 9uFudA7F+4xQXB3AGr0ZzTYGzammWCa7hBf0FkgUtuTJMSvIKZwo1X/jQrN+UjT3MjM3 cgEnSbuxQ84R5aSVXWIR4E3ZbBsHjygBfxytg50m7Em74RXqdMbObM4ZfJDlGLdE7ra6 JAkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=t3BuO9M6kRYSZu/BHhVJYNOmDcy3bJPYHrB1NduTu4I=; b=Ud0+qImPSMxUPOu6Ggm+jDaPyQV0gt6XIhpn9pA6y0F/DGyMeNpnV0ZSKJ2/GxJZLJ DmQ/r3r6NcEtm/y+43yzNBpwfbw6s9eLGekY/gujfWAGfDZ7kr+LGSG4hVhLB1OWJeo7 OqXL1uNPk/ASNOaUlu/p/AaInfa582q8Hy/7S1btqBl3G0z3POqbwzGOrrM2RkWGtOik GoWf5IPPSrcAp4u9rVYt1TeNGnyCScPyDP6q9yRYszD5zBHlEzgfCrwsZRbPTulOQWFA 74Z3lcN0PwJOJnnzB/FUgWliQc4Gq1eU7Vvk2z7S2+piNc1UsDRPJjGh8F6h9VED4T/g lmiA==
X-Gm-Message-State: ALyK8tLKg8vzeJa7Cs3cAH1nEBx5Ii6/EDHTwXcQzGgsO9KMTSvQxNw0lYlxBcmbw4PKCg==
X-Received: by 10.194.81.138 with SMTP id a10mr2884477wjy.53.1466756927832; Fri, 24 Jun 2016 01:28:47 -0700 (PDT)
Received: from [192.168.1.5] (225.204.208.46.dyn.plus.net. [46.208.204.225]) by smtp.gmail.com with ESMTPSA id q63sm1973502wma.0.2016.06.24.01.28.46 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 24 Jun 2016 01:28:47 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_C94AED4F-9D11-4A97-82B7-724B757F2A7D"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.6b2
From: Cory Benfield <cory@lukasa.co.uk>
In-Reply-To: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net>
Date: Fri, 24 Jun 2016 09:28:44 +0100
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <3B8E2C61-91A6-431B-9805-1AD01E0B550D@lukasa.co.uk>
References: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=74.125.82.53; envelope-from=cory@lukasa.co.uk; helo=mail-wm0-f53.google.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bGMUE-0005ly-WA fafdef4878da5dfd348b41bc4579b9e1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Archived-At: <http://www.w3.org/mid/3B8E2C61-91A6-431B-9805-1AD01E0B550D@lukasa.co.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31785
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> On 24 Jun 2016, at 01:41, Mark Nottingham <mnot@mnot.net> wrote:
> 
> <https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs>
> 
> We've discussed carrying certificates and related artefacts in HTTP for a long time. This draft from Mike and Martin is an evolution of several previous approaches.
> 
> Please state whether you support adoption, and ideally why. Expressions of interest in implementation would also be very helpful.

This draft seems like it does address several of the concerns that have been raised about certificates in HTTP/2.

My biggest concern with it is that this is a *massive* draft that appears to address several related but independent concerns at once. I’m not immediately sure that that’s the best approach with this: is there any value in breaking this draft up until multiple drafts, each of which addresses a single concern? At the very least we could have two: one for the AltSvc case of multiple origins on one connection, and one for the client certificate case.

Cory

v2.23.0 | Report a Bug | By Email