Re: Client-Cert Header draft

Brian Campbell <bcampbell@pingidentity.com> Mon, 20 April 2020 22:21 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A94D53A1192 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 15:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.849
X-Spam-Level:
X-Spam-Status: No, score=-0.849 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YuQrD0kio7V1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 15:21:52 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CA923A118F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Apr 2020 15:21:52 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQenK-0003yh-8D for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Apr 2020 22:21:38 +0000
Resent-Date: Mon, 20 Apr 2020 22:21:38 +0000
Resent-Message-Id: <E1jQenK-0003yh-8D@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1jQenI-0003wD-Cz for ietf-http-wg@listhub.w3.org; Mon, 20 Apr 2020 22:21:36 +0000
Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1jQenF-0001BM-KK for ietf-http-wg@w3.org; Mon, 20 Apr 2020 22:21:36 +0000
Received: by mail-lj1-x22e.google.com with SMTP id w20so5552946ljj.0 for <ietf-http-wg@w3.org>; Mon, 20 Apr 2020 15:21:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QU61/YYTYykw7993wZWOm+h1/mcMVDGAn3PtDwrPVMs=; b=F913Sg+c13Rlwpjd2shJfj4G8AG9/yCh8AUuEdMEQCSbgN2oiSAOenH2cu3LLq8fZo uHU5uuJsGoUQm2mYLUHgKUuK4Ldk71BQgKQA+EJUSgsBzKAccsibfwGd2fzMMwrxD4ig kjaQ+TShFhy7ojH6rYPXkfP9ZStgQo08OVlc9p8RqTyfxSpYIz1V/IyXkl/hN1ezPR4x SbzYpWrcOE7KyBYdArg9T8dm7PK1TZ3LaKQNnoNv4nnf8U0XFu887t442YAU6/2ausCJ 5T0HSZXSyIbiL99N6xWbkKRlFEij56veSqcBk0I42XQBnAQNq4mYzy5u9HADVvfJKhWp 9t5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QU61/YYTYykw7993wZWOm+h1/mcMVDGAn3PtDwrPVMs=; b=tWM0nGcLSDHMTUn3E6FdgkElufC/u7o9kVAHBderfTL3n9Gip86p9T+rslLh0LFPEC nH+whvtiiKyhrJpYYhGL916Eo5snyaZK9ptdXviXPLGdms0f9e4eoPkMhQHk/8hRRU3E j5OTZjxaRJ/fgAEclWSYOHXQcBhiuL5GV5He6O3/jhzr1M6tKS9CELxXxb3I2X5Qf7J7 9+3JqtUuOmvJAhAbwEG/O3Fy8kPEMZ6QYWvsXNan8ylCiK2gVtEzKq0MLyu15BVhOlHB p+sRQiY3L5d/Vp1Ntd/jV7BEF5Z0BVT+y9vtKcpGsXlgAYQ1d16g37yHlcPyZpaTWrRh g8gQ==
X-Gm-Message-State: AGi0Pua/9Apcqmxw5eswgTahnvr4Z6qVemwYQVUYKO8Qp2/kVxM4Xs3x iTUDG3UUaoxI8SZvMU94KAe+xPcYiFJoZBJqXKED18j6ULQcnrTHUSzd0etU0bDeGyFm1FAHnyG mT9YLvVydWAqISwtbgAvo
X-Google-Smtp-Source: APiQypJYR5V0eZ1jBBXeSNy4BUHafaFA+zOOUMd5HvwTFEk33RO3RY+mu55dYvLwbmHHVQ/xr96ydfib34sEmLtvc4c=
X-Received: by 2002:a2e:860a:: with SMTP id a10mr11997764lji.20.1587421281916; Mon, 20 Apr 2020 15:21:21 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu> <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com>
In-Reply-To: <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 20 Apr 2020 16:20:55 -0600
Message-ID: <CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com>
To: "Soni L." <fakedme+http@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000009e2b1e05a3c05197"
Received-SPF: pass client-ip=2a00:1450:4864:20::22e; envelope-from=bcampbell@pingidentity.com; helo=mail-lj1-x22e.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jQenF-0001BM-KK 1f9d93616b021b814b6d2802f50d2bff
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37526
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

That's really quite different than the intended scope of the draft, which
was/is a reverse proxy that's terminating TLS (from the client's
perspective anyway) and taking HTTP with the backend.

On Fri, Apr 17, 2020 at 3:25 PM Soni L. <fakedme+http@gmail.com> wrote:

> if I may, I'd like to suggest a websocket-like mechanism that's initiated
> by TLS terminators.
>
> if the TLS terminator thinks a request needs to reach the server, it can
> let the client request directly from the server that way, including client
> certs and whatnot. if done right, this would also allow protection of other
> sensitive user data (e.g. direct messages) from the TLS terminator.
>
> On 2020-04-17 5:58 p.m., Justin Richer wrote:
>
> +1 for seeing this adopted and progressing within this group. This is a
> simple thing that different developers have had to solve for decades and
> each has solved it in trivially different ways. I would love to see one
> commonly-accepted way to do this.
>
> TLS terminators aren’t going away any time soon, so I think we should make
> them at least a bit more manageable.
>
>  — Justin
>
> On Apr 15, 2020, at 5:01 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Hello HTTP Working Group,
>
> I've somewhat inadvertently found myself working on this draft
> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/,
> which aspires to define a "Client-Cert" HTTP header field that allows a TLS
> terminating reverse proxy to convey information about the client
> certificate of a mutually-authenticated TLS connection to an origin server
> in a common and predictable manner.
>
> I presented the concept
> <https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00>
> at the recent virtual IETF 107 secdispatch meeting
> <https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00>
> and the outcome from that was basically that there seems to be some
> interest in pursuing the work and the suggestion that the conversation be
> taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the
> work progresses). And that's what brings me here. I also hope to get a
> little bit of time at one of the upcoming virtual interims to
> present/discuss the draft.
>
> Thanks,
> Brian
>
>
>
>
>
>
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._