RE: Client Certificates - re-opening discussion
Mike Bishop <Michael.Bishop@microsoft.com> Sat, 19 September 2015 22:14 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128751B2DDE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Sep 2015 15:14:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZrheCbty78N for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Sep 2015 15:14:53 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6EAF1B2DD6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 19 Sep 2015 15:14:53 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZdQLp-0005QR-CR for ietf-http-wg-dist@listhub.w3.org; Sat, 19 Sep 2015 22:11:21 +0000
Resent-Date: Sat, 19 Sep 2015 22:11:21 +0000
Resent-Message-Id: <E1ZdQLp-0005QR-CR@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ZdQLg-0005Pg-GT for ietf-http-wg@listhub.w3.org; Sat, 19 Sep 2015 22:11:12 +0000
Received: from mail-by2on0133.outbound.protection.outlook.com ([207.46.100.133] helo=na01-by2-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ZdQLe-00030X-4N for ietf-http-wg@w3.org; Sat, 19 Sep 2015 22:11:11 +0000
Received: from CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) by CY1PR03MB1502.namprd03.prod.outlook.com (10.163.17.20) with Microsoft SMTP Server (TLS) id 15.1.274.16; Sat, 19 Sep 2015 22:10:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1c59zCVvnO0t23wGVj1ZZUo+JUyFF329CJACyZjdyAQ=; b=I7B/EjJXsv83Of6p2S2N6R1kBZFuwGe4Zhci0NPQdBG2CeWQbEFjdUVNKc1l10xacH1yOGp51JYnFxD3cJ956jCo17EaRuPgYaQ7n6zdNUAYvttbAZG4wDWBfV2V4fPhVDlGUkzVsSJ3S6vHbnF0l8P7pMBRBFPm10mRzpp0V5E=
Received: from CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) by CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) with Microsoft SMTP Server (TLS) id 15.1.268.17; Sat, 19 Sep 2015 22:10:39 +0000
Received: from CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) by CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) with mapi id 15.01.0268.017; Sat, 19 Sep 2015 22:10:39 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client Certificates - re-opening discussion
Thread-Index: AQHQ8ZZXEEnFRnQG4U+imwUG9Fc1t55ChnhKgAA9MwCAAAJwAIAArZ+AgAC4BACAAD7oMA==
Date: Sat, 19 Sep 2015 22:10:38 +0000
Message-ID: <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com>
In-Reply-To: <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2601:600:8300:56c:480:ab0a:e3fc:94f0]
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1374; 5:LpKTw6Rvi9Q7zdGf1d3/LQBrbNdLNgJiZVZkuPYBU4iww3ql8Oq4pgDWEpVzSkc+Ru0ujvTJCDob+P/0KxW+Y2U9KvLkr6f6TBTJi9LtaX2oqFrNcH44jqvCHenqrgRaob06z1z5ibjYmMUFTvVoOw==; 24:pDFpUpB1Qz4kwZSQjZcPVTKbb6ePf7di02YQujvrliPfPy7a5ZbYux3int3kUWzoytwdAzHcxDiERl9uumB2vYvaibdfF9I3m3I+4W6XqK8=; 20:QBja3VUZbJhZND5m5D/96A7l6kAZipAav3NM5mTfm0ymG4rbOexqN1nPJ3gPZQyt5n0uBhu8ztUAL23zA0BI5Q==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR03MB1374;
x-microsoft-antispam-prvs: <CY1PR03MB1374C2E1C88CE346423BA04C87580@CY1PR03MB1374.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425019)(601004)(2401001)(520075)(520078)(5005006)(8121501046)(3002001)(61426019)(61427019); SRVR:CY1PR03MB1374; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1374;
x-forefront-prvs: 0704670F76
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(377454003)(164054003)(199003)(24454002)(55674003)(77156002)(10400500002)(15975445007)(54356999)(33656002)(5001860100001)(76576001)(86612001)(62966003)(5005710100001)(77096005)(40100003)(87936001)(10290500002)(189998001)(101416001)(102836002)(5001960100002)(2950100001)(19625215002)(19609705001)(122556002)(2900100001)(4001540100001)(81156007)(5002640100001)(16236675004)(106116001)(76176999)(64706001)(19580405001)(19580395003)(97736004)(74316001)(92566002)(8990500004)(68736005)(93886004)(50986999)(5001830100001)(10090500001)(5004730100002)(106356001)(99286002)(19300405004)(86362001)(5007970100001)(5003600100002)(46102003)(105586002)(5001770100001)(11100500001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1374; H:CY1PR03MB1374.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR03MB1374F1CA73EFDA80C7CE44E887580CY1PR03MB1374namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2015 22:10:38.9621 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1374
X-Microsoft-Exchange-Diagnostics: 1; CY1PR03MB1502; 2:4v769UN74D6pGChDT1Fi19Er0QXEB2bgoOmwVc5YmvkjWbt8mmlcb1NwD1dsgQcGW7dc4v3Nx0LCFHZ9oguOfj8LU3/coQMARe6lCJGuVTtqTd/VYnsqCZoGLxcLRS37v3E3MhsVAueGCstdeSSLzuclEUtvMB53czUu3dJ3MPY=; 23:RGTkBwGAWbtcY9fvE/2jAT7XvPSRiPPoMTgAArv3KFHl7zqSUXGARsFA67X6N1BGU5zrgtGmgOPteBDDCI4oH7xENcPaHKOzySRLmnNrcmRMGhhEUZFv8kQQGfyFoBYwOsst6S60MlrlAzc01hV/n/rCryYZtd6vnhj/F/ZGMSHzlwEHcIc4RMfVTiQkwcGR
X-OriginatorOrg: microsoft.com
Received-SPF: pass client-ip=207.46.100.133; envelope-from=Michael.Bishop@microsoft.com; helo=na01-by2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-1.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: maggie.w3.org 1ZdQLe-00030X-4N d0000fdd9018872af8e2bc9f2676f2c1
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30231
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Kind of a non-problem, but it’s also the problem itself. The HTTP layer will call different APIs in TLS, but the API HTTP exposes (get client certificate) won’t necessarily change. · HTTP/1.x + TLS <=1.2 – Client certs work via renegotiation · HTTP/x + TLS 1.3 – Client certs work via new TLS feature that isn’t renegotiation · HTTP/2 + TLS 1.2 – How do client certs work? It’s a time-scoped problem, since we hope everyone will eventually be on TLS 1.3, but it’s a nearly-universal problem at the moment. There are many proposed kludges for HTTP/2 over TLS 1.2 in the meantime, but we need to find something with broader support than any idea currently has. From: Eric Rescorla [mailto:ekr@rtfm.com] Sent: Saturday, September 19, 2015 11:18 AM To: Stefan Eissing <stefan.eissing@greenbytes.de> Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>; Mark Nottingham <mnot@mnot.net>; Henry Story <henry.story@co-operating.systems>; HTTP Working Group <ietf-http-wg@w3.org> Subject: Re: Client Certificates - re-opening discussion On Sat, Sep 19, 2015 at 12:18 AM, Stefan Eissing <stefan.eissing@greenbytes.de<mailto:stefan.eissing@greenbytes.de>> wrote: > Am 18.09.2015 um 22:57 schrieb Ilari Liusvaara <ilari.liusvaara@elisanet.fi<mailto:ilari.liusvaara@elisanet.fi>>: > >> On Fri, Sep 18, 2015 at 01:48:50PM -0700, Eric Rescorla wrote: >>> On Fri, Sep 18, 2015 at 10:05 AM, Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>> wrote: >>> >>> Hi Henry, >>> >>> Thanks, but this is a much more narrowly-scoped discussion -- how to make >>> client certs as they currently operate work in HTTP/2. >> >> >> Is this a question about HTTP/2's limitations versus HTTP/1.1 or about >> deficiencies >> in HTTP/1.1 that HTTP/2 has not fixed? > > I think this is about the extra limitations of HTTP/2 regarding client > authentication caused by major design differences between HTTP/1.1 and > HTTP/2. > > Client certs in HTTP/1.1 aren't too great, but at least those don't > seem to even remotely have the same problems as client certs in HTTP/2 > (especially when in web environment). Just to have everyone on the same page. The problems - as we see them in httpd - are 1. http/1.1 requests may trigger client certs which may require renegotiation. Processing is no longer sequential with http/2, causing conflicts. Well, presently renegotiation is illegal in HTTP/2, so this is a non-problem. However, I suppose if we land TLS 1.3 PR#209 it will come back. -Ekr Even if mutexed what does connection state and h2 stream have to say to each other and for how long? 2. connection reuse for different hosts is much more likely as a lot of sites have a long list of subjectAltNames. That raises the likelihood of conflicts as described above. Any advice on how to address this in an interoperable way is appreciated. //Stefan
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton