IETF Logo Mail Archive

Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2

Martin Thomson <martin.thomson@gmail.com> Mon, 27 June 2016 23:56 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AB3F12DAAB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jun 2016 16:56:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.447
X-Spam-Level:
X-Spam-Status: No, score=-8.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRo5oQ1rpn_5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 Jun 2016 16:56:51 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EA8112DAA3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 27 Jun 2016 16:56:51 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bHgKo-0000MH-65 for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jun 2016 23:52:58 +0000
Resent-Date: Mon, 27 Jun 2016 23:52:58 +0000
Resent-Message-Id: <E1bHgKo-0000MH-65@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1bHgKh-0000L7-D1 for ietf-http-wg@listhub.w3.org; Mon, 27 Jun 2016 23:52:51 +0000
Received: from mail-qt0-f171.google.com ([209.85.216.171]) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1bHgKf-0008DZ-7w for ietf-http-wg@w3.org; Mon, 27 Jun 2016 23:52:50 +0000
Received: by mail-qt0-f171.google.com with SMTP id f89so233574qtd.2 for <ietf-http-wg@w3.org>; Mon, 27 Jun 2016 16:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Psk7ReWZ12ahHk+o3xc1JnXCvWBtqvIliw8GDxeyMH0=; b=CBkw7j1694gqx0Yd5B32b1i0au4uBXJhhwWIidxHWiu3hR3J2axZGijwLteMdvq+yy 72EpwYzZoiF+bOWow9gVWLTD0E07wEdXi8DJjKmj8ZekWJU8ek6wy+c/smS+JPLaj6wT 6hay0vFcZoV6q+dw74RwxKz+WpGhghgPTe23pew+lSCfT2Yyi7lm1JSxcW56JQMEK+6u 7OkBuRSRTlzTsDKKrfVmFj01dYZDZhoVXwQyT1yqxJBu1eGt1/O67q/cm4MGxVDmD8HM 3N7hbhkpEUvF8on6mUOAtHKluKfZG8BKAfxbh5iAHrAICiXj7cBcrjGVKG/EN84lPCwF 6sNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Psk7ReWZ12ahHk+o3xc1JnXCvWBtqvIliw8GDxeyMH0=; b=KB186qUNJ6n6R1ABIAvfrozqrtNSI81H+yKEI8fTRfgdkzYyQcmUIW0fK5inLAtQLF 10pq/YuaJeMOZ4DB4hyEHF86xVz8GePerNSj5W5RUsLh3zq5ouLjZg5xOOx5F8DruCbh O3eocoUbSsPvGwgf1EdqH2rjAZ2sZVha8oTsZD3eFtyLHyYkjiRmXNYIXXdmWK6Mbmur n1bTA1P/vRWDnXM6p5SQznUpWAJLbh4OX56bRm0X2H0NU4dSP5jGTfY6F//owKuSXua8 FoKjl5j+J3p8YUGzbVOF/Wlv5dbYK4a0DBCYb8DfhczGI7+honUyJIAwgipSFGSHOVk4 BkXQ==
X-Gm-Message-State: ALyK8tIv/hjlqxVBNBvyfcN51TL4QiENK44s2wwLTxpCW18Z8HwYhmVcOnEWjQeao870BgoeO1PFa7XXNOpBbg==
X-Received: by 10.200.49.165 with SMTP id h34mr29084387qte.43.1467071542773; Mon, 27 Jun 2016 16:52:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.38 with HTTP; Mon, 27 Jun 2016 16:52:22 -0700 (PDT)
In-Reply-To: <20160627173913.GA2456@LK-Perkele-V2.elisa-laajakaista.fi>
References: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net> <20160624072833.GA6241@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnWS0oA=OK7PScBEU6SBEu5DFpqSZAgWL1VpGBfLGOZhFA@mail.gmail.com> <20160627173913.GA2456@LK-Perkele-V2.elisa-laajakaista.fi>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 28 Jun 2016 09:52:22 +1000
Message-ID: <CABkgnnXb82kKPReYHa5Kcz=__AKuycJxpKom=XU3tewUCSSw7A@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.216.171; envelope-from=martin.thomson@gmail.com; helo=mail-qt0-f171.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.833, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bHgKf-0008DZ-7w 38ffe0f1cbdb37cc300ca40596341e4f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Archived-At: <http://www.w3.org/mid/CABkgnnXb82kKPReYHa5Kcz=__AKuycJxpKom=XU3tewUCSSw7A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31803
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 28 June 2016 at 03:39, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> Well, basically IMO the needs for client-server direction are:
>
> 1) Client to select the certificate set on per-request basis (including
>    selecting the empty set).
> 2) Not to have to eat extra RTT for per-request control (as having to
>    do that would be a perverse incentive).
> 3) Server to indicate that more certs are needed.
> 4) Client to be able to refuse server's request for extra certificate.
>
> The set selection in 1) is obviously client-specific. E.g. Curl and
> Firefox will do it in rather different ways.
>
> An optimization would be for client to signal that the certificate set
> it sent for request is closed: Any request to extend it will be denied
> (the set will probably be empty, but not necressarily).
>
> Capability to unilaterially send certificates would obviously
> complicate things, as one would need to handle wild guesses about
> capabilities of the server.
>
>
> For the server-client direction:
>
> 1) Ability for server to push a new certificate unilaterially, and
>    have the names appear in authority set.
>
> IMO, no need to be ever able to remove names from that set or to
> temporarily disable entries.

This is a good summary of the requirements.  The question we are
struggling with is whether orthogonality of the two solutions is
possible.  Assembling all the pieces for the client to server
direction is challenging, but once you have those pieces, maybe you
don't want a whole different set of mechanisms for the reverse
direction.

v2.23.0 | Report a Bug | By Email