Re: Client Certificates - re-opening discussion
"henry.story@bblfish.net" <henry.story@bblfish.net> Mon, 21 September 2015 15:47 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E684C1B333C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 08:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BHby0B9K7v5Q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 08:47:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65C001B3336 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 Sep 2015 08:47:48 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ze3GS-0007Gp-VF for ietf-http-wg-dist@listhub.w3.org; Mon, 21 Sep 2015 15:44:24 +0000
Resent-Date: Mon, 21 Sep 2015 15:44:24 +0000
Resent-Message-Id: <E1Ze3GS-0007Gp-VF@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <henry.story@bblfish.net>) id 1Ze3GN-0007F5-JU for ietf-http-wg@listhub.w3.org; Mon, 21 Sep 2015 15:44:19 +0000
Received: from mail-wi0-f178.google.com ([209.85.212.178]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <henry.story@bblfish.net>) id 1Ze3GM-000765-21 for ietf-http-wg@w3.org; Mon, 21 Sep 2015 15:44:19 +0000
Received: by wicge5 with SMTP id ge5so121763196wic.0 for <ietf-http-wg@w3.org>; Mon, 21 Sep 2015 08:43:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=hNlBlthBMguqbzPoGvCsUz9rSlp/F5Oj2VPGVXmML4U=; b=NB0QliKKFptO6r3d23znRrUUXO1slJ5WRLZCmz7yUNsiRYnEhAwGmWRNhGr4J1BjmJ SsKfHgc1omsJKU0Xjq9P4FwzX2SmIZ7WSKVMzKLffoezpoq57JKFD+vvKhPTA+xwWeem 2vV+eW5kxReI1QZRzr9zfuhAmxAzr26CwiASq64Tx4ft91FakGRPVbKxGYCm4wkVg0Sj RKtlO6erOzgxhC1asLPzWOEgkF8NXjnPl42qddr0iBs32NljFxQYqOUrlZpiivgv1rzz JgnLPLNJyaDMIHnIyKK2X4wlJ4A4uXHwpdUCKeEnw/KYBsPNRX67HfSF6qrWKQjiU6E+ yVNA==
X-Gm-Message-State: ALoCoQkhXpaIZDld5PI1lo7DTV1fL1GYp52EaEyi9mYhrRtBPqDV+HCg/n6eKwtDq6dKbSIDDi9x
X-Received: by 10.195.11.40 with SMTP id ef8mr18346945wjd.103.1442850231352; Mon, 21 Sep 2015 08:43:51 -0700 (PDT)
Received: from [192.168.0.2] (cpc2-popl3-2-0-cust563.13-2.cable.virginm.net. [86.21.242.52]) by smtp.gmail.com with ESMTPSA id lb10sm5205618wjc.9.2015.09.21.08.43.50 for <ietf-http-wg@w3.org> (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Sep 2015 08:43:50 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com>
Date: Mon, 21 Sep 2015 16:43:49 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E598D662-0C08-494B-AE09-F518641CA724@bblfish.net>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de> <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.2104)
Received-SPF: none client-ip=209.85.212.178; envelope-from=henry.story@bblfish.net; helo=mail-wi0-f178.google.com
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: AWL=0.463, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Ze3GM-000765-21 08c12ef4eb6b2085296cf1936a21a63f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/E598D662-0C08-494B-AE09-F518641CA724@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30249
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> On 21 Sep 2015, at 15:28, Kyle Rose <krose@krose.org> wrote: > >>> The difference is that now the sane design is mandatory, else you get unpredictable results. A sane design works with renegotiation, #209 and HTTP-layer authentication >> >> Not even then. Client may reuse connections on matching certs. There are installations out there that have a cert for +3 domain names, lets say A, B and C. A has anonymous access, B and C both require different client certs. Depending on which tab the browser load first, the one or the other cert gets loaded in, leading the other site to fail since the cert is not accepted. > > Yeah, this is a huge issue that doesn't appear in HTTP/1.1. It sounds > to me like the real problem is trying to shoehorn application-layer > client authentication into the transport layer. How is this different from say if one authenticated to each resource using public keys at the HTTP layer [1]. We could imagine here A, B and C, being resources on the same server even with A only accessible by somone who can prove he is over 18, the other by someone how is a member of this working group, ( provable using either a WebID or an OpenID ), etc.... There are two signals the server can set up to help the user agent select a certificate: A 401 not Authorized, and perhaps a link to an access control resource that would describe who can have access [2]. The client needs some logic to help select a certificates or credential to respond to the request while putting the user in control, and without being too much of a pain. As I understand Martin Thomson suggested an HTTP header WWW-Authenticate: Certificate sent at the HTTP layer, that could then start the certificate connection at the TLS layer. The client could also try to narrow down from the ACL list to see if it is even worth bothering the user to ask him for a Certificate, and perhaps warn him that some links cannot be followed, because of the lack of access. It is true that authentication at the TLS layer is much rougher, as I think the client can only authenticate with 1 certificate not more, per connection. But part of the problem you mention has more to do with the logic of the user agents credential selection and the problems of protected resources across origins ( which everybody is familiar when looking at YouTube links that are viewable in one country but not in another ). Henry [1] As suggested by one of the following • Andrei Sambra's first sketch authentication protocol https://github.com/solid/solid-spec#webid-rsa • Manu Sporny's more fully fleshed out HTTP Message signature https://tools.ietf.org/html/draft-cavage-http-signatures-04 [2] Following work described here for example http://www.w3.org/wiki/WebAccessControl > > Kyle Social Web Architect http://bblfish.net/
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton