Re: Report on preliminary decision on TLS 1.3 and client auth

Willy Tarreau <> Sat, 26 September 2015 06:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6742F1B2B03 for <>; Fri, 25 Sep 2015 23:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IGhyudN-_smc for <>; Fri, 25 Sep 2015 23:42:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 859A81B2B02 for <>; Fri, 25 Sep 2015 23:42:11 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1Zfj7p-0005xX-Mc for; Sat, 26 Sep 2015 06:38:25 +0000
Resent-Date: Sat, 26 Sep 2015 06:38:25 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1Zfj7j-0005wl-Gb for; Sat, 26 Sep 2015 06:38:19 +0000
Received: from ([] by with esmtp (Exim 4.80) (envelope-from <>) id 1Zfj7h-0003nL-VL for; Sat, 26 Sep 2015 06:38:19 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t8Q6bcDq026574; Sat, 26 Sep 2015 08:37:38 +0200
Date: Sat, 26 Sep 2015 08:37:38 +0200
From: Willy Tarreau <>
To: Martin Thomson <>
Cc: Poul-Henning Kamp <>, Yoav Nir <>, Amos Jeffries <>, HTTP Working Group <>
Message-ID: <>
References: <> <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-7.3
X-W3C-Hub-Spam-Report: AWL=1.277, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1Zfj7h-0003nL-VL 322a4e3db50eb56eabc6367fb733a765
Subject: Re: Report on preliminary decision on TLS 1.3 and client auth
Archived-At: <>
X-Mailing-List: <> archive/latest/30279
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Fri, Sep 25, 2015 at 10:08:50AM -0700, Martin Thomson wrote:
> I think that your general observation about client certificates is
> overwhelmingly true.  On the web at least, I'm seeing a general trend
> away from using the TLS layer to authenticate clients.

On the *browser* web that's true, and the main reason is that if you
don't have your cert, you can't connect and you get a connect error
instead of a nice page delivered by the application proposing you to
regenerate your cert. Note: some sites manage to get it right, but
it's really complicated because the application needs to be aware of
what happens at the transport layer and needs to trust itself as much
as the transport layer, which is hardly a good thing to do by todays
development standards... And keep in mind that certs are a pain to
manage. Client certs are even worse because you have to support them
at the edge and manage them in the backend from the application. In
the end it provides no better security than the weakest point : the
application, which may sometimes be forced to generate rogue certs
due to regular bugs, but with a longer effect since these certs can
be abused even after the application bugs are fixed!

Between reverse-proxies and servers, or between servers, client certs
are much more common and perfectly fit the purpose : guarantee to each
side that they're talking with whom they believe they're talking. For
example, you don't forward an online payment request from an application
server on DC A to a payment server on DC B without client auth, or you're
definitely seeking for trouble. Just like you may only accept incoming
connections from your CDN.

> I'd like to find other solutions for the use cases that drive this,
> but the view was that we still needed something like this so that we
> don't strand those users on old protocols.  We don't have to *like* it
> though.
> There was strong agreement that this feature would be accompanied by a
> prominent and severe admonishment against using it.  I definitely want
> to talk about what the alternatives look like, but perhaps we should
> start a separate thread on that subject.

We should always be careful not to make security look evil just because
it comes with privacy concerns. If I go to my bank and want to make a
wire transfer, I have to show my ID card. If at some point people feel
concerned that the person they're talking to suddenly knows their name
and that it's a privacy concern and that they'd rather not ask for the
ID card, I would feel much less safe because I would have a harder way
to prove I'm the one I'm claiming, and others could pretend to be me.

And if I had the choice between having to show my ID card to everyone
in the queue at the same time as the bank's employee, or murmuring a
secret word hoping noone else hears it, guess what ? I'd prefer to show
my ID card to everyone, because as long as I have it and I keep my face,
I'm sure to be the only one to be able to do this wire transfer, while
the secret word can leak and be reused (even by the employee after he
leaves the bank and ends up in the same queue as me).

There are many situations where identification and authentication are
required. And by doing so we have to disclose our identity. We just
have not to abuse this, and possibly remind those who request it that
those who are asked to provide it may feel uncomfortable and that
sometimes alternatives are just as good. But we should not make this
mechanism look evil because it does more good than bad.