Re: FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-05.txt
Kazuho Oku <kazuhooku@gmail.com> Tue, 14 November 2017 16:30 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81B96128CD5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Nov 2017 08:30:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.989
X-Spam-Level:
X-Spam-Status: No, score=-6.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hw2E7EhH4WiS for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Nov 2017 08:30:01 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA4D01271FD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Nov 2017 08:30:00 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1eEdxt-0000Cu-CR for ietf-http-wg-dist@listhub.w3.org; Tue, 14 Nov 2017 16:21:33 +0000
Resent-Date: Tue, 14 Nov 2017 16:21:33 +0000
Resent-Message-Id: <E1eEdxt-0000Cu-CR@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <kazuhooku@gmail.com>) id 1eEdxk-0000CA-2J for ietf-http-wg@listhub.w3.org; Tue, 14 Nov 2017 16:21:24 +0000
Received: from mail-pg0-f44.google.com ([74.125.83.44]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <kazuhooku@gmail.com>) id 1eEdxh-0000B2-87 for ietf-http-wg@w3.org; Tue, 14 Nov 2017 16:21:23 +0000
Received: by mail-pg0-f44.google.com with SMTP id s75so15732297pgs.0 for <ietf-http-wg@w3.org>; Tue, 14 Nov 2017 08:21:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bjr1mgG6pmuVHT+rvOK5xhSyAjiNyUafiP0g1fgsEfw=; b=tm0f9usxHgt/JXd3zHeIDNBCXqUP0koiWSrLpZCXNAl0SgNID5ocdHbM+7F78GoYK5 QrKPLNgmqu+RiTkM2/L/t2fcvWbx3Uyq+bAZaxYpNWfD/UxlfSoT1u+Ve5ex5bhKNq+k /h0FyeJZ1fdSyiuYbkyNpWr8Tkex5YArj/N/G9XVdeM2KwOCUvTB+HzzPUY13Gb3yfN9 ZWkhsZUZl7RZnjOi1YfSbK1ChbUQCoyPkmiKQiwTHW4zacStpPRsGLRRMc/DmEw7JYQE nUgUOBJClIoh+o1YWp/INqocPxJinRX+CRO5rYy6Jc3Z37v0R3sQGDislRqit+ptHZ2n KDzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bjr1mgG6pmuVHT+rvOK5xhSyAjiNyUafiP0g1fgsEfw=; b=o99pElSzWhI6wvOEPQqpn7V3PRKYTfCuLTe340hgHbZ98HC53JbysH19M4PSiQ2kgY HO0W//V6ajEz4UttZphveyXmr3MNc99QeHM/qxvv87k/SmLKfU5WXisBJmaxF1Ci+B70 1o+IC1J9XDVCS/RYox8GYEEkvvRNs3YzDCdVj8Bf/wRZ+6/dIM2H/x0vRQ3IHwuT6qta 51VPl1VjmeGfw+MZ5UqU7wKJNiFhYZZn2e2wypqCKf7DBDnJGJ8IwtbJQCIXgEIcE0/+ fFncauCCPtsgWvL7xoaVu7IM3d40cmKJIQ04w6CCCF/4sEK51IAwrptgyrPP4fvrQU0X 2WiA==
X-Gm-Message-State: AJaThX6isdq/wfJy2fntQO7eywCk72KNtNlyLYedlkRpvyZ8pgEXH/kt d49S/MV37bJOWwdxle6IfFsD6CxCNwGhgXv9CZIbGhnm
X-Google-Smtp-Source: AGs4zMaDnRPXy59NcIvG5iwksGDESsQq37AJqWeAmko+W4jI+A0OrV07w/errBlm3KpG9p3RLvYvVx8QdD2WTyrWuyo=
X-Received: by 10.159.204.147 with SMTP id t19mr13059920plo.222.1510676459877; Tue, 14 Nov 2017 08:20:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.130.79 with HTTP; Tue, 14 Nov 2017 08:20:58 -0800 (PST)
In-Reply-To: <MWHPR08MB2432A5711D0E96CAE462C489DA280@MWHPR08MB2432.namprd08.prod.outlook.com>
References: <150939960176.7740.5723475746682417243.idtracker@ietfa.amsl.com> <MWHPR08MB347212B6F2F9DDD092728354DA5E0@MWHPR08MB3472.namprd08.prod.outlook.com> <CANatvzzO0gsuvjBjCuGuvxenubnVt4G==qw1huzjSd57V+8A9Q@mail.gmail.com> <CAOjisRyTn4UR0oV7si93da2G4gbzZZXU4LO-NW2PZWSLosFOLg@mail.gmail.com> <CANatvzypXjz3+88V5JayfyzTW=ZX3P0BEKHSXe7RMBP4bz2LWQ@mail.gmail.com> <MWHPR08MB2432A5711D0E96CAE462C489DA280@MWHPR08MB2432.namprd08.prod.outlook.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 15 Nov 2017 00:20:58 +0800
Message-ID: <CANatvzy55RkT4ThKODOUh2e-AK_hMGV5UPw41885Ag6L8pAnHg@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Cc: Nick Sullivan <nicholas.sullivan@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e08288ab4c2fa9e055df3c54f"
Received-SPF: pass client-ip=74.125.83.44; envelope-from=kazuhooku@gmail.com; helo=mail-pg0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=1.318, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1eEdxh-0000B2-87 c3dba06387a089617a54b08089366e21
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-05.txt
Archived-At: <https://www.w3.org/mid/CANatvzy55RkT4ThKODOUh2e-AK_hMGV5UPw41885Ag6L8pAnHg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34790
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Mike, 2017-11-14 23:16 GMT+08:00 Mike Bishop <mbishop@evequefou.be>: > What the draft currently says about that is: > > Client implementations need to carefully consider the impact of setting > the AUTOMATIC_USE flag. This flag is a performance optimization, permitting > the client to avoid a round-trip on each request where the server checks > for certificate authentication. However, once this flag has been sent, the > client has zero knowledge about whether the server will use the referenced > cert for any future request, or even for an existing request which has not > yet completed. Clients MUST NOT set this flag on any certificate which is > not appropriate for currently-in-flight requests, and MUST NOT make any > future requests on the same connection which they are not willing to have > associated with the provided certificate. > > > > So basically, if a client provides a certificate to example.com with > AUTOMATIC_USE set, then later decides that it doesn’t want to use that > certificate with example.org, then it MUST NOT send example.org requests > on that connection and would need to start a fresh one. > Thank you for pointing that out. I remember reading the section, but it's obvious I missed the intent of the text. I think that you’re right that negotiation isn’t needed if the client is > allowed to preemptively send USE_CERTIFICATE with every request. That > introduces a race condition where confusion could ensue about whether the > USE_CERTIFICATE was preemptive or in response to a CERTIFICATE_NEEDED. > However, that seems solvable if we specify timing rules. A strawman: > > - Eliminate AUTOMATIC_USE – the semantics are always true for servers > and never true for clients > - Clients which have previously been challenged for and provided a > certificate MAY send USE_CERTIFICATE as part of their subsequent or > still-open requests > - Servers MUST NOT send CERTIFICATE_REQUIRED before seeing a complete > request > - If the request included a USE_CERTIFICATE frame, the server MUST > NOT send CERTIFICATE_REQUIRED, but MAY reset the stream with a > NOT_WHAT_I_WANTED error code (better name TBD). > - Upon receipt of a NOT_WHAT_I_WANTED error, clients SHOULD > resend the request without a USE_CERTIFICATE frame and expect a > CERTIFICATE_REQUIRED frame > - If not, it MAY send a CERTIFICATE_REQUIRED if a certificate is > required. > > The strawman looks good to me. Thank you for writing them down. I like the fact that the approach is simpler than the current one, and that the round-trips required to perform the requests have been minimized in all cases. I have only one comment. You might want to adjust the timing so that we could cap the amount of memory need to buffer a pending request (note that in case of CGI, properties of the client certificate needs to be sent to the application before the request body. Also I would assume that such requirement exists for other gateway protocols). One way to implement such cap would be to change the timing requirement as follows: * a client that associates a client certificate to a request MUST send USE_CERTIFICATE frame prior to sending a DATA frame * otherwise, a client should send the USE_CERTIFICATE frame only in response to a CERTIFICATE_REQUIRED frame > > Something else that should have occurred to me long ago, but hit me while > writing the above: USE_CERTIFICATE will necessarily be sendable on a > half-closed stream. That’s possible in HTTP/2, but problematic in > HTTP/QUIC. We’ll have to think about that. > > > > -----Original Message----- > From: Kazuho Oku [mailto:kazuhooku@gmail.com] > Sent: Tuesday, November 14, 2017 2:24 PM > To: Nick Sullivan <nicholas.sullivan@gmail.com> > Cc: Mike Bishop <mbishop@evequefou.be>; HTTP Working Group < > ietf-http-wg@w3.org> > Subject: Re: FW: New Version Notification for draft-bishop-httpbis-http2- > additional-certs-05.txt > > > > Hi Nick, Ilari, Mike, > > > > Thank you for your responses. > > > > First, let me argue that there is no need to negotiate AUTOMATIC_USE. > > Current draft permits the server to let the client choose a certificate > even in case AUTOMATIC_USE is being used. So it is possible to cover the > CGI use case under the current draft, though the need to spend 2 RTT makes > me bit sad (especially since I do not understand the benefit of letting the > server choose the certificate). > > > > That said, let me elaborate about another issue related to AUTOMATIC_USE; > a potential privacy concern. > > > > Consider the case of a CDN terminating example.com and example.org. > > Both of the hosts require authentication using client certificates issued > by the same CA. > > > > At first, a client connects to the CDN sending a request to example.com, > and sends its client certificate with AUTOMATIC_USE flag set. > > > > Then, using the same connection, a client sends a request to example.org. > At this point, is the CDN allowed to present the certificate that was sent > for example.com to example.org? My understanding is that in HTTP/1, a > user has the total control of choosing the certificate the person wants to > send to each domain. > > > > So to me, it seems that we would be required to standardize when a > certificate sent with AUTOMATIC_USE flag set can be reused across the > authorities that are coalesced into a single connection, if we are to > enable automatic reuse (please let me know if that’s already specified; I > may have missed that). > > > > One way to avoid the issue is to drop AUTOMATIC_USE from the > specification, and require the client to specify the certificate that is > associated to every request. > > > > If we take that route, we would no longer be required to seek an agreement > and document when an intermediary can reuse a client certificate across > authorities. Elimination of AUTOMATIC_USE would give the clients total > control on how certificates are associated to the requests they send, and > the added bonus would be that the behavior could be verified by consulting > the client behavior. > > > > 2017-11-13 17:29 GMT+08:00 Nick Sullivan <nicholas.sullivan@gmail.com>: > > > Hi Kazuho, > > > > > > Thanks for this. I think you found an issue that we did not consider: > > > the fact that server support for setting AUTOMATIC_USE in client > > > certificates may not be desirable for all servers. The CGI case you > > > describe would work find as long as the client doesn't use AUTOMATIC_USE. > > > > > > Here's a possible solution to this: > > > Let the server advertise support for AUTOMATIC_USE in the > > > CERTIFICATE_REQUEST message as a flag. If the client receives a > > > CERTIFICATE_REQUEST without AUTOMATIC_USE set, then it should not be > > > able to reply with a CERTIFICATE with AUTOMATIC_USE set. > > > > > > Nick > > > > > > On Mon, Nov 13, 2017 at 3:18 PM Kazuho Oku <kazuhooku@gmail.com> wrote: > > >> > > >> Hi, Mike, Nick, Martin, > > >> > > >> I have briefly asked this in the IETF meeting, but let me question if > > >> it sounds logical to adjust the approach so that the client will be > > >> required to proactively specify the certificate that is associated to > > >> each HTTP request. > > >> > > >> I ask this due to the following reason. > > >> > > >> In HTTP/1, it was always clear from the server’s viewpoint which > > >> certificate is associated to a HTTP request. This is because the > > >> underlying connection allowed only one client certificate at maximum > > >> to be used. CGI is designed after that model. A CGI gateway is > > >> expected to designate _at most one_ certificate that has been > > >> associated to the request by using a set of environment variables > > >> (e.g., `SSL_CLIENT_S_DN` [1]). I would assume that it is the same for > > >> other de-facto standards that have evolved from CGI (e.g., FastCGI, > > >> Rack). > > >> > > >> The secondary certificates draft changes the model. Under the model > > >> proposed by the draft, the server is expected to choose from one of > > >> the certificates that it has received with AUTOMATIC_USE flag set, or > > >> to request the client to send a new certificate. > > >> > > >> However, to me (as a HTTP server developer that acts as a CGI > > >> gateway) it is unclear how a server can make such choice. > > >> Applications that are run using the CGI protocol _might_ have > > >> sufficient information to make such choice, but that is not the case > for a CGI gateway. > > >> > > >> That means that unless the draft (in the following revisions) specify > > >> the guess logic that I should implement, I would be forced into > > >> sending CERTIFICATE_NEEDED for every HTTP request I receive. Doing so > > >> would introduce one extra roundtrip. > > >> > > >> Considering that, I wonder if you could adjust the approach proposed > > >> in the draft to require the client to proactively clarify the > > >> certificate that is associated to each HTTP request. > > >> > > >> For example, I believe that the draft could specify that: > > >> * If the client does not specify a certificate that is associated to > > >> a request, a server MAY request the client to specify the certificate. > > >> * The client can specify the certificate that is associated to a > > >> request proactively, instead of sending USE_CERTIFICATE frame in > > >> response to a CERTIFICATE_NEEDED frame. > > >> > > >> By changing the approach as such, the only case in which two > > >> roundtrips are required for processing a request could become when > > >> the client is required to send a new certificate. Also, AUTOMATIC_USE > > >> flag becomes unnecessary. > > >> > > >> One downside caused by such change is that the bandwidth slightly > > >> increases due to the fact that the client would be required to > > >> specify the certificate that is associated to every HTTP request. > > >> However that is just sending Cert-ID per every HTTP request; I > > >> believe that the increase of bandwidth is negligible. > > >> > > >> To summarize, I am suggesting to push the responsibility of choosing > > >> the certificate back to the client. Note that in the current draft > > >> the client is still required to make such choice if the server sends > > >> a CERTIFICATE_NEEDED frame; so I think requiring the client to > > >> _always_ make the choice does not increase the complexity on the client > side. > > >> > > >> [1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html > > >> > > >> 2017-10-31 8:14 GMT+08:00 Mike Bishop <mbishop@evequefou.be>: > > >> > In preparation for Singapore, we've updated the Additional Certs > > >> > draft to track changes in TLS 1.3 and the Exported Authenticators TLS > draft. > > >> > There's been substantial interest here, and we'll be discussing the > > >> > draft during the WG meeting. > > >> > > > >> > -----Original Message----- > > >> > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org > <internet-drafts@ietf.org>] > > >> > Sent: Monday, October 30, 2017 2:40 PM > > >> > To: Martin Thomson <martin.thomson@gmail.com>; Mike Bishop > > >> > <mbishop@evequefou.be>; Nick Sullivan <nick@cloudflare.com> > > >> > Subject: New Version Notification for > > >> > draft-bishop-httpbis-http2-additional-certs-05.txt > > >> > > > >> > > > >> > A new version of I-D, > > >> > draft-bishop-httpbis-http2-additional-certs-05.txt > > >> > has been successfully submitted by Mike Bishop and posted to the > > >> > IETF repository. > > >> > > > >> > Name: draft-bishop-httpbis-http2-additional-certs > > >> > Revision: 05 > > >> > Title: Secondary Certificate Authentication in HTTP/2 > > >> > Document date: 2017-10-30 > > >> > Group: Individual Submission > > >> > Pages: 21 > > >> > URL: > > >> > https://www.ietf.org/internet-drafts/draft-bishop-httpbis-http2-add > > >> > itional-certs-05.txt > > >> > Status: > > >> > https://datatracker.ietf.org/doc/draft-bishop-httpbis-http2-additio > > >> > nal-certs/ > > >> > Htmlized: > > >> > https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-c > > >> > erts-05 > > >> > Htmlized: > > >> > https://datatracker.ietf.org/doc/html/draft-bishop-httpbis-http2-ad > > >> > ditional-certs-05 > > >> > Diff: > > >> > https://www.ietf.org/rfcdiff?url2=draft-bishop-httpbis-http2-additi > > >> > onal-certs-05 > > >> > > > >> > Abstract: > > >> > TLS provides fundamental mutual authentication services for HTTP, > > >> > supporting up to one server certificate and up to one client > > >> > certificate associated to the session to prove client and server > > >> > identities as necessary. This draft provides mechanisms for > > >> > providing additional such certificates at the HTTP layer when these > > >> > constraints are not sufficient. > > >> > > > >> > Many HTTP servers host content from several origins. HTTP/2 > > >> > [RFC7540] permits clients to reuse an existing HTTP connection to a > > >> > server provided that the secondary origin is also in the certificate > > >> > provided during the TLS [I-D.ietf-tls-tls13] handshake. > > >> > > > >> > In many cases, servers will wish to maintain separate certificates > > >> > for different origins but still desire the benefits of a shared HTTP > > >> > connection. Similarly, servers may require clients to present > > >> > authentication, but have different requirements based on the content > > >> > the client is attempting to access. > > >> > > > >> > This document describes how TLS exported authenticators > > >> > [I-D.ietf-tls-exported-authenticator] can be used to provide proof > of > > >> > ownership of additional certificates to the HTTP layer to support > > >> > both scenarios. > > >> > > > >> > > > >> > > > >> > > > >> > Please note that it may take a couple of minutes from the time of > > >> > submission until the htmlized version and diff are available at > > >> > tools.ietf.org. > > >> > > > >> > The IETF Secretariat > > >> > > > >> > > > >> > > >> > > >> > > >> -- > > >> Kazuho Oku > > >> > > > > > > > > > > > -- > > Kazuho Oku > -- Kazuho Oku
- FW: New Version Notification for draft-bishop-htt… Mike Bishop
- Re: FW: New Version Notification for draft-bishop… Patrick McManus
- Re: FW: New Version Notification for draft-bishop… Kazuho Oku
- Re: FW: New Version Notification for draft-bishop… Nick Sullivan
- Re: FW: New Version Notification for draft-bishop… Ilari Liusvaara
- Re: FW: New Version Notification for draft-bishop… Ilari Liusvaara
- RE: FW: New Version Notification for draft-bishop… Mike Bishop
- Re: FW: New Version Notification for draft-bishop… Kazuho Oku
- RE: FW: New Version Notification for draft-bishop… Mike Bishop
- Re: FW: New Version Notification for draft-bishop… Kazuho Oku
- RE: FW: New Version Notification for draft-bishop… Mike Bishop
- RE: FW: New Version Notification for draft-bishop… Mike Bishop