IETF Logo Mail Archive

RE: Client certificates in HTTP/2

Mike Bishop <Michael.Bishop@microsoft.com> Tue, 09 June 2015 23:07 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B6621A8A11 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 16:07:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUZ8zMq0-sp0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 16:07:49 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D60F71A8A0D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 9 Jun 2015 16:07:49 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Z2SZL-0002nH-Rk for ietf-http-wg-dist@listhub.w3.org; Tue, 09 Jun 2015 23:04:31 +0000
Resent-Date: Tue, 09 Jun 2015 23:04:31 +0000
Resent-Message-Id: <E1Z2SZL-0002nH-Rk@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1Z2SZE-0002mO-7j for ietf-http-wg@listhub.w3.org; Tue, 09 Jun 2015 23:04:24 +0000
Received: from mail-bn1bn0106.outbound.protection.outlook.com ([157.56.110.106] helo=na01-bn1-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1Z2SZC-0003WS-KX for ietf-http-wg@w3.org; Tue, 09 Jun 2015 23:04:23 +0000
Received: from BL2PR03MB132.namprd03.prod.outlook.com (10.255.230.24) by BL2PR03MB129.namprd03.prod.outlook.com (10.255.230.20) with Microsoft SMTP Server (TLS) id 15.1.184.17; Tue, 9 Jun 2015 23:03:55 +0000
Received: from BL2PR03MB132.namprd03.prod.outlook.com ([169.254.9.131]) by BL2PR03MB132.namprd03.prod.outlook.com ([169.254.9.131]) with mapi id 15.01.0184.014; Tue, 9 Jun 2015 23:03:55 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Adrien de Croy <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>
CC: Yoav Nir <ynir.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client certificates in HTTP/2
Thread-Index: AQHQooro5C5BMiM9y0mRQrw2laAAg52kcchAgABBWgCAAAttAIAAANqAgAACLQD/////gIAABAkAgAABgYCAAAMcoA==
Date: Tue, 09 Jun 2015 23:03:55 +0000
Message-ID: <BL2PR03MB132C04E1A8705633FA119F187BE0@BL2PR03MB132.namprd03.prod.outlook.com>
References: <CABkgnnWPaJf1w2qYhgKQ-RibycQJrzOWWFLP+=5w9Jyb7VjtLg@mail.gmail.com> <embc3b2d2c-7e58-44c7-ab1b-c02192caf378@bodybag>
In-Reply-To: <embc3b2d2c-7e58-44c7-ab1b-c02192caf378@bodybag>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: qbik.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e0:ee43::5]
x-microsoft-exchange-diagnostics: 1; BL2PR03MB129; 3:thfq8GBouFrE0K8PuP78LZGfycm7vlfqL92PLFMynyqK2bhXaDAztEjQlfN2slL5RgxMFjeYPk8V3uC2eOb7NAtwzHJNbKp9ixt1VP8UOLE3M7Ju+I3T30p/8pJFMXbejAvQpDNMFRp7U7Nh9hAFLw==; 10:BJpVtux5t18LFuMaNRCKSQppoLyo/EJSJvv1wYgPxS8wNZZuVe+KeD89+3+yu6wIPjE4e6T8O3rMwmEebmZNUmus77cgTtIRX/oJTeEhxoY=; 6:agz/XfiI3uaRxZ9M5tmoK0o6byNeKOw7SfHUbgjp4zF82vNrxZOPB1A58Hwj+JPt
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB129;
x-microsoft-antispam-prvs: <BL2PR03MB12958EAB6D0778EABE336BB87BE0@BL2PR03MB129.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(520003)(3002001); SRVR:BL2PR03MB129; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB129;
x-forefront-prvs: 06022AA85F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(377454003)(51444003)(24454002)(479174004)(3905003)(51704005)(122556002)(46102003)(50986999)(74316001)(62966003)(40100003)(1720100001)(5001770100001)(77156002)(92566002)(102836002)(561944003)(33656002)(99286002)(54356999)(76176999)(5002640100001)(106116001)(189998001)(5001960100002)(15975445007)(86362001)(19580395003)(19580405001)(2656002)(86612001)(2900100001)(76576001)(87936001)(2950100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB129; H:BL2PR03MB132.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2015 23:03:55.2382 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB129
Received-SPF: pass client-ip=157.56.110.106; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bn1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=-2.824, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: maggie.w3.org 1Z2SZC-0003WS-KX d4ad07d1893d6c870908ce7b86bf461b
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client certificates in HTTP/2
Archived-At: <http://www.w3.org/mid/BL2PR03MB132C04E1A8705633FA119F187BE0@BL2PR03MB132.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29739
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

The doc conflates a few things -- the extension and the quirks of our implementation that we're required to document.  I would really rather have had the extension in a separate doc for easy reading, and the original text of it does still live at http://tools.ietf.org/html/draft-bishop-support-reneg-00 as a stand-alone doc.  (Far fewer pages, and less boilerplate.)  However, I was advised that an independent document would be easier to manage, so it got folded into our quirks/profile doc that we had to publish anyway.

The short form is that mutually-consenting HTTP/2 implementations can agree to change the rules, and we didn't see a good alternative to being able to change the reneg rule in some scenarios.

-----Original Message-----
From: Adrien de Croy [mailto:adrien@qbik.com] 
Sent: Tuesday, June 9, 2015 3:46 PM
To: Martin Thomson
Cc: Mike Bishop; Yoav Nir; HTTP Working Group
Subject: Re: Client certificates in HTTP/2



------ Original Message ------
From: "Martin Thomson" <martin.thomson@gmail.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Mike Bishop" <Michael.Bishop@microsoft.com>; "Yoav Nir" 
<ynir.ietf@gmail.com>; "HTTP Working Group" <ietf-http-wg@w3.org>
Sent: 10/06/2015 10:40:58 a.m.
Subject: Re: Client certificates in HTTP/2

>On 9 June 2015 at 15:26, Adrien de Croy <adrien@qbik.com> wrote:
>>
>>  so the proposal is to include some flag in all requests (but maybe 
>>not by
>>  some browsers) which can't be used by the server.
>
>Sure it can be used.

so the server is entitled to send a request if it sees the flag, is that the intention?

In which case, why not just let the server send the request if it wants a client cert, and the client can bounce the request if it doesn't want to support that.  That has several benefits.

1. reduced cost.  Only incur cost when the server wants a client cert, rather than on all connections.
2. clients can measure how often they are asked for a cert so that devs can make decisions about whether to support it or not.


>
>>  That doesn't seem like a good use of resource.
>
>It's a few bytes.  We've wasted a lot more elsewhere for less worthy 
>reasons.  Not that I think this is a great idea, but I can appreciate 
>that Microsoft have to do *something*.  It's an existing use that isn't 
>well served.  I'd rather the option I proposed, but we're not seeing a 
>lot of movement on the client authentication piece.
OK, I agree something needs to be done to carry over client cert auth.

>
>Maybe when Microsoft produce a proposal for TLS 1.3, we'll be a better 
>position.  Maybe that will be possible when the TLS 1.3 key schedule 
>and handshake becomes stable (which should be very soon).
>
>>  Or is tongue firmly planted in cheek on this one?
>
>Not this time.  I refer you to:
>http://download.microsoft.com/download/C/6/C/C6C3C6F1-E84A-44EF-82A9-49
>BD3AAD8F58/Windows/%5BMS-HTTP2E-Preview%5D.pdf
thanks for the link

Adrien


>
>>  Did you forget Chromium as well?
>
>I never forget Chromium, or Safari, or Opera, or Yandex, or UC 
>browser...  I just don't know what they plan to do yet.  I think that 
>Chromium have disabled renegotiation, but I wasn't sure.

v2.23.0 | Report a Bug | By Email