Re: Client Certificates - re-opening discussion
Mark Nottingham <mnot@mnot.net> Fri, 18 September 2015 17:09 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 601261ACDCC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 18 Sep 2015 10:09:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AouQPC9ky6LX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 18 Sep 2015 10:09:14 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13EFF1ACDBF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 18 Sep 2015 10:09:13 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zcz6V-00085D-Uh for ietf-http-wg-dist@listhub.w3.org; Fri, 18 Sep 2015 17:05:43 +0000
Resent-Date: Fri, 18 Sep 2015 17:05:43 +0000
Resent-Message-Id: <E1Zcz6V-00085D-Uh@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1Zcz6R-00084S-7W for ietf-http-wg@listhub.w3.org; Fri, 18 Sep 2015 17:05:39 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1Zcz6P-0005nx-Qi for ietf-http-wg@w3.org; Fri, 18 Sep 2015 17:05:38 +0000
Received: from [172.30.30.2] (unknown [72.246.3.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 3F2F5509BB; Fri, 18 Sep 2015 13:05:14 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems>
Date: Fri, 18 Sep 2015 13:05:14 -0400
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems>
To: Henry Story <henry.story@co-operating.systems>
X-Mailer: Apple Mail (2.2104)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-7.7
X-W3C-Hub-Spam-Report: AWL=1.923, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Zcz6P-0005nx-Qi 718a93e503d156485d5e4bf09a98fdc3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30216
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Henry, Thanks, but this is a much more narrowly-scoped discussion -- how to make client certs as they currently operate work in HTTP/2. At most, I think we'd be talking about incrementally improving client certs (e.g., clarifying / optimising the scope of their applicability -- and that really just is an example, not a statement of intent). Cheers, > On 18 Sep 2015, at 11:53 am, Henry Story <henry.story@co-operating.systems> wrote: > > >> On 17 Sep 2015, at 23:10, Mark Nottingham <mnot@mnot.net> wrote: >> >> Hi, >> >> We've talked about client certificates in HTTP/2 (and elsewhere) for a while, but the discussion has stalled. >> >> I've heard from numerous places that this is causing Pain. So, I'd like to devote a chunk of our time in Yokohama to discussing this. >> >> If you have a proposal or thoughts that might become a proposal in this area, please brush it off and be prepared. Of course, we can discuss on-list in the meantime. >> >> Cheers, >> >> -- >> Mark Nottingham https://www.mnot.net/ > > > Apart from the proposals as the proposal by Martin Thomson > and the follow up work referenced earlier in this thread > by Mike Bishop [1], I'd like to mention more HTTP centric > prototypes which would rely perhaps not so much on certificates, > but on linked public keys, that build on existing HTTP > mechanisms such as WWW-Authenticate, which if they pass security > scrutiny would fit nicely it seems to me with HTTP/2.0 . > > • Andrei Sambra's first sketch authentication protocol > https://github.com/solid/solid-spec#webid-rsa > > • Manu Sporny's more fully fleshed out HTTP Message signature > https://tools.ietf.org/html/draft-cavage-http-signatures-04 > > These and the more TLS centric protocols require the user > agent to be able to use public/private keys generated by > the agent, and signed or published by that origin, to > authenticate or sign documents across origins. > > This is where one often runs into the Same Origin Policy (SOP) > stone wall. There was an important discussion on > public-webappsec@w3.org [1] and public-web-security@w3.org > entitled > > "A Somewhat Critical View of SOP (Same Origin Policy)" [2] > > that I think has helped clarify the distinction between Same Origin > Policy, Linkability, Privacy and User Control, and which I hope > has helped show that this policy cannot be applied without > care nor can it apply everywhere. > > The arguments developed there should be helpful in opening discussion > here and elswhere too I think. In a couple of e-mails in that > thread, I went into great detail showing how SOP, linkability and User > Control and privacy apply in very different ways to 4 technologies: > Cookies, FIDO, JS Crypto API and client certificates [3]. This shows > that the concepts don't overlap, two being technical and the two > legal/philosophical, each technology enabling some aspect of the > other, and not always the way one would expect. > > Having made those conceptual distinctions I think the path to > acceptance of solutions proposed by this group will be much eased. > > Looking forward to following and testing work developed here, > > All the best, > > Henry > > > [1] • starting: https://lists.w3.org/Archives/Public/ietf-http-wg/2015AprJun/0558.html > • most recent by Mike Bishop > https://lists.w3.org/Archives/Public/ietf-http-wg/2015JulSep/0310.html > [2] https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/ > [3] https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0101.html > which is in part summarised with respect to FIDO in a much shorter > email > https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0119.html > -- Mark Nottingham https://www.mnot.net/
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton