Re: HTTP/2 and TLS 1.3 post-handshake authenication
David Benjamin <davidben@chromium.org> Thu, 04 April 2019 15:40 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99EDF120443 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2019 08:40:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eeobTYakfGZB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 4 Apr 2019 08:40:31 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B02621200DE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 4 Apr 2019 08:40:30 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hC4RH-0004fq-Mb for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Apr 2019 15:38:03 +0000
Resent-Date: Thu, 04 Apr 2019 15:38:03 +0000
Resent-Message-Id: <E1hC4RH-0004fq-Mb@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <davidben@google.com>) id 1hC4RG-0004eu-19 for ietf-http-wg@listhub.w3.org; Thu, 04 Apr 2019 15:38:02 +0000
Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <davidben@google.com>) id 1hC4RC-0007Io-8A for ietf-http-wg@w3.org; Thu, 04 Apr 2019 15:38:01 +0000
Received: by mail-qk1-x729.google.com with SMTP id k130so1916995qke.3 for <ietf-http-wg@w3.org>; Thu, 04 Apr 2019 08:37:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9kzklP1QjtPWnboBlHtu/9yDGLQvSGmMBFrDC3Ord54=; b=KSpCv1mCUB8/+Ss3fhC47Zu1GH+EfAC77CVmQFWSLSHWeT+91ft2a43q5itFmtgCPw 6l9IMHSssZrK/gHT/PxS8t6QRuIFzb4n8ZVYVLDqjEQgR2QSg4zcJnj92DOYx/upzoi1 jiDdE3PjZrZSGNm2yWw55eOQiag35gbm/6+zQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9kzklP1QjtPWnboBlHtu/9yDGLQvSGmMBFrDC3Ord54=; b=uC2Ko1gsYU89A+CUDFNou9gRHSghCZjoM0PcdEcXZhim4HSeE9arJSUowVkZ/JyBFF 4M/1nkwh2iW0v4FxGnizIIGrHno9dsO7P48lQcHzJBc1TK5ueKdLZWaSlX0MPJP9xKZj cgF9z+HRFxKjF47TOzRgI2zdcblFt1OflW+trqHkQrqzD8tayzDVGrg98yhPf75uiRIe WQ2TTv2zJh0HwsJzjcoq03ZRCt1zP63e0B5+wsGZUeNXigpZG/VImqpSlD1Q2JCoCyIJ YHxvsD3eJoI8HGSvR4qTxdVdYZox4xp9gLMDfzZ0EtZsPCiQoillmjuC+68aC25drwlH uB/g==
X-Gm-Message-State: APjAAAWEWuoXFl1X0JGZGx7j2RYLz+/v+NG1G+vXQjgdBMozdyz2xhZe GpYiHQSVWXqKeMsBti3UiBv9sScXeJYCPTNXMwEeR8gNWg==
X-Google-Smtp-Source: APXvYqzgeJEhXSBYswHgse4TwHeTrNRxnvtaoCipcMO/p9VgS3YVjQGcKk4FEmCxYqosk2rcyLMZxqm1ZBWNvdaiOiI=
X-Received: by 2002:a37:a4d1:: with SMTP id n200mr5629414qke.62.1554392256775; Thu, 04 Apr 2019 08:37:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaCB6jsa03jtL+9W06s+Aqh1+ftwZaM+PH-b=5Omq5KG_w@mail.gmail.com> <CAOdDvNqHQNgKGXDzviRT6CEew+CcXcLLZeS+dNU6u8pYUEeQrw@mail.gmail.com>
In-Reply-To: <CAOdDvNqHQNgKGXDzviRT6CEew+CcXcLLZeS+dNU6u8pYUEeQrw@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 04 Apr 2019 10:37:19 -0500
Message-ID: <CAF8qwaDxG5uT+KM+TW8Ty_Ew3OCYG7ykVshGNuSNkiSaL5-Wyg@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000004eebc90585b626b7"
Received-SPF: pass client-ip=2607:f8b0:4864:20::729; envelope-from=davidben@google.com; helo=mail-qk1-x729.google.com
X-W3C-Hub-Spam-Status: No, score=-11.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1hC4RC-0007Io-8A 70b3c90ce288aec94d348b1f39dc8beb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and TLS 1.3 post-handshake authenication
Archived-At: <https://www.w3.org/mid/CAF8qwaDxG5uT+KM+TW8Ty_Ew3OCYG7ykVshGNuSNkiSaL5-Wyg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36501
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Sure. Whatever you all think makes sense. I don't really know the usual process for these things. On Thu, Apr 4, 2019 at 8:22 AM Patrick McManus <mcmanus@ducksong.com> wrote: > David, this looks good and obvious to me. Would you like the chairs to > discuss issuing a working group call for adoption for it? > > On Tue, Apr 2, 2019 at 1:23 AM David Benjamin <davidben@chromium.org> > wrote: > >> Hi all, >> >> HTTP/2 and TLS 1.3 have a minor incompatibility around post-handshake >> authentication. Mike Bishop suggested that, rather than add some text in >> the secondary certs draft, it would better to make a separate document that >> actually updates HTTP/2. I've done so and uploaded a draft. >> https://tools.ietf.org/html/draft-davidben-http2-tls13-00 >> https://www.ietf.org/id/draft-davidben-http2-tls13-00.txt >> >> HTTP/2 was specified against TLS 1.2, which had a renegotiation mechanism >> to rekey the connection. It additionally changed parameters, so in >> HTTP/1.1, this is often used in a hack to implement reactive client auth >> <https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-03#section-1.2.1>. >> This hack doesn't work in a multiplexed protocol like HTTP/2, because the >> client cannot tell which request triggered the authentication request. >> Thus, HTTP/2 forbids renegotiation >> <https://tools.ietf.org/html/rfc7540#section-9.2.1>. >> >> TLS 1.3 removed renegotiation and replaced it with two features: a >> lightweight key update, and post-handshake client authentication. The >> former is meant to be transparent and is compatible with HTTP/2. The latter >> reintroduces renegotiation's multiplexing problems. There is no spec text >> which says how to interpret HTTP/2's existing renegotiation ban in TLS 1.3. >> >> The draft fixes it by documenting the status quo. KeyUpdate is fine. It >> is internal to the TLS stack and works just fine in existing servers[*]. >> Post-handshake auth is forbidden. No existing servers request it because >> they already do not request renegotiation, and no existing clients accept >> it because they cannot usefully interpret it. Instead, the reactive client >> auth use case for HTTP/2 is instead being covered >> by draft-ietf-httpbis-http2-secondary-certs. >> >> Note it's not sufficient to lean on the TLS 1.3 post_handshake_auth >> extension because that extension is not correlated with ALPN. A client may >> wish to support post-handshake auth with HTTP/1.1, for continuity with the >> TLS 1.2 renego hack, while still supporting HTTP/2. >> >> David >> >> [*] Aside from an OpenSSL bug >> <https://mailarchive.ietf.org/arch/msg/tls/Aw1WY5gBAifAZXowgx5Ym82RIKI> which, >> pertinently, made some applications misinterpret it as a renegotiation to >> be blocked. That bug has been fixed in OpenSSL 1.1.1b >> <https://www.openssl.org/news/changelog.html#x1>. >> >
- HTTP/2 and TLS 1.3 post-handshake authenication David Benjamin
- Re: HTTP/2 and TLS 1.3 post-handshake authenicati… Martin Thomson
- Re: HTTP/2 and TLS 1.3 post-handshake authenicati… David Benjamin
- Re: HTTP/2 and TLS 1.3 post-handshake authenicati… Patrick McManus
- Re: HTTP/2 and TLS 1.3 post-handshake authenicati… David Benjamin