IETF Logo Mail Archive

Re: Client Certificates - re-opening discussion

Yoav Nir <ynir.ietf@gmail.com> Wed, 23 September 2015 20:39 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 719431B2BE3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Sep 2015 13:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efb-ic6O6QwZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Sep 2015 13:39:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B7591A009E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 23 Sep 2015 13:39:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zeqlt-0002zM-N0 for ietf-http-wg-dist@listhub.w3.org; Wed, 23 Sep 2015 20:36:09 +0000
Resent-Date: Wed, 23 Sep 2015 20:36:09 +0000
Resent-Message-Id: <E1Zeqlt-0002zM-N0@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1Zeqlm-0002yV-AB for ietf-http-wg@listhub.w3.org; Wed, 23 Sep 2015 20:36:02 +0000
Received: from mail-wi0-f180.google.com ([209.85.212.180]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1Zeqlk-0006N2-L5 for ietf-http-wg@w3.org; Wed, 23 Sep 2015 20:36:01 +0000
Received: by wiclk2 with SMTP id lk2so86406872wic.1 for <ietf-http-wg@w3.org>; Wed, 23 Sep 2015 13:35:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=7nVRfIwaeXXowqqJsdfOuQPL7coueqKW6F0X7FJYygc=; b=w5jcJva5HZh7f01LzWSZ42GruXUONNKKr417nhN0Xa334/3wjwLVvLyqX2Fy/isOn6 FO4bFBN0R92NL4jDexmHp3aXTBuwABGAxwT8V4XbcDABsqieWXxVyDECJDIBtIUps5X+ MrbUIfunsPzWbYJ75RctVFxbWIdcYlqGntWm8iihOul7MjOBFzpWG4avfSj2Wn075TI+ Z1V++vAqUIZ9v7fRa6loqohSCmVoJvIbeQVlcHejLee2yxeAnWwEs7VS94ezvX588wt0 PjZC/c5cCKD2zpnC0DQ0+6lVEZeWVESpEy/2hsToTmm6GNjCjMal01mQH4KD7RUD33hg Cv2w==
X-Received: by 10.194.85.163 with SMTP id i3mr37702755wjz.75.1443040534221; Wed, 23 Sep 2015 13:35:34 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id f17sm8966449wjn.38.2015.09.23.13.35.30 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 23 Sep 2015 13:35:32 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_056C642D-F815-4BD2-A3B7-0BDCF0C07372"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CY1PR03MB13742717AB92BB68C127B57187440@CY1PR03MB1374.namprd03.prod.outlook.com>
Date: Wed, 23 Sep 2015 23:35:28 +0300
Cc: Martin Thomson <martin.thomson@gmail.com>, Stefan Eissing <stefan.eissing@greenbytes.de>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DF3A8696-5A33-444C-ADB8-87F5303EC6F8@gmail.com>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de> <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com> <4456BAAA-125B-4038-AAC7-77A20F0C75B1@co-operating.systems> <C874EAAC-FF26-42C6-BB6C-5785A6508664@bblfish.net> <CY1PR03MB137427E0C66A2297C844DDBF87460@CY1PR03MB1374.namprd03.prod.outlook.com> <F2A23F97-E114-40D3-8691-84CB7B54A791@greenbytes.de> <E549D977-DC88-4E39-B65B-EE674E541157@mnot.net> <06F248CF-E092-4959-9784-11FA1FFD36A7@greenbytes.de> <CABkgnnVMzvKhFB_8EmE8Dj9m4_cOafWhyWXtUSwSXK_a9MdUbA@mail.gmail.com> <CY1PR03MB13742717AB92BB68C127B57187440@CY1PR03MB1374.namprd03.prod.outlook.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
X-Mailer: Apple Mail (2.2104)
Received-SPF: pass client-ip=209.85.212.180; envelope-from=ynir.ietf@gmail.com; helo=mail-wi0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-1.318, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Zeqlk-0006N2-L5 41944e71210986bac28af0cf49abd601
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/DF3A8696-5A33-444C-ADB8-87F5303EC6F8@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30264
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I agree that it makes the most sense from the client’s perspective to close the HTTP/2 connection and move entirely to HTTP/1 once the H1R response is received.

It’s kind of sad, because most applications that I’ve seen have just one resource that triggers the renegotiation (ours is called “login_with_certs.html”), and everything else is authorized by the cookie that is set by the response to that request. The HTTP/2 connection could be safely used for everything else on the site.

But there is no way for the browser to know that. And trying each resource with the HTTP/2 connection and optionally moving it to the HTTP/1 connection sounds like a really poor idea.

Yoav


> On Sep 23, 2015, at 6:58 PM, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
> 
> I agree, it would have been nice to specify some level of scope on the HTTP_1_1_REQUIRED – but then again, the server code may not even know the scope of resources that trigger it, and fallback to HTTP/1.1 is always permissible.  If we receive H1R for one or more resources, we open a 1.1 connection and retry it/them.  If they succeed on 1.1, we’ll switch entirely to 1.1 for the remainder of that session.  (With some additional implementation-specific stuff around the client-cert case and not wanting to stall renegotiation waiting for UI.)
>  
> From: Martin Thomson [mailto:martin.thomson@gmail.com] 
> Sent: Wednesday, September 23, 2015 8:26 AM
> To: Stefan Eissing <stefan.eissing@greenbytes.de>
> Cc: Mark Nottingham <mnot@mnot.net>; HTTP Working Group <ietf-http-wg@w3.org>
> Subject: Re: Client Certificates - re-opening discussion
>  
> 
> On Sep 23, 2015 1:55 AM, "Stefan Eissing" <stefan.eissing@greenbytes.de <mailto:stefan.eissing@greenbytes.de>> wrote:
> > One could advise a client that HTTP_1_1_REQUIRED indicates that the request uri ref indicates the server realm where this restriction applies. For Apache httpd at least, client cert renegotiation is a directory based configuration.
> 
> The notion that you might infer something about other resources based on some unspecified dissection of a URL and a response seems to fragile to be wise. That suggests something explicit, which leads back to 421.
> 
> > Further, a client thus falling back to HTTP/1.1 to trigger the proper TLS params, *could* try to "Upgrade:" to h2 again on the same request, given that all security requirements are fulfilled. This is outside the spec atm, right?
> 
> Yeah, TLS implies ALPN.
> 
> > (I had already one site with "421 Ping Pong" reported, where the client got a 421, teared down the connection, opened a new one, got a 421 on a later request, teared down again, opened exactly as in the beginning a new one... all this does not match exactly this case, but it shows that there are interop issues lurking.)
> 
> Redirect loops happen too, so I imagine that this can be handled in a catchall.
> 
> The ideal solution is to find ways to address all use cases in HTTP/2. For that, I agree that client authentication in response to a request will be needed.
>

v2.23.0 | Report a Bug | By Email