IETF Logo Mail Archive

RE: Client Certificates - re-opening discussion

Mike Bishop <Michael.Bishop@microsoft.com> Wed, 23 September 2015 16:02 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4D91A8754 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Sep 2015 09:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-DU3uO_0eLD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Sep 2015 09:02:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B27C1A8725 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 23 Sep 2015 09:02:27 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZemSM-0003cU-Ou for ietf-http-wg-dist@listhub.w3.org; Wed, 23 Sep 2015 15:59:42 +0000
Resent-Date: Wed, 23 Sep 2015 15:59:42 +0000
Resent-Message-Id: <E1ZemSM-0003cU-Ou@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ZemSE-0003bJ-1W for ietf-http-wg@listhub.w3.org; Wed, 23 Sep 2015 15:59:34 +0000
Received: from mail-bn1on0111.outbound.protection.outlook.com ([157.56.110.111] helo=na01-bn1-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ZemS4-0007mn-Iw for ietf-http-wg@w3.org; Wed, 23 Sep 2015 15:59:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6n3UKBo7zhcELiCTdRtH9xSndz9YdhWmkCzWqXJVoUQ=; b=PnsEb2ngqdiMwMuzs3jk0fkF6xWynApgQ8h3cbLQh708O4doOwB14ATXJBHczw+uQ9Cf3eDBwFAnjkV2NFGWY+gzi8vb7OT5c9y6WCKsWPmizKsbvftKcnilz6fPGPcD6MW/DGL7IeTfDuSXwuD8DLdVPCQDCLf1ob48XWq6QPw=
Received: from CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) by CY1PR03MB1376.namprd03.prod.outlook.com (10.163.16.30) with Microsoft SMTP Server (TLS) id 15.1.274.16; Wed, 23 Sep 2015 15:58:56 +0000
Received: from CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) by CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) with mapi id 15.01.0274.009; Wed, 23 Sep 2015 15:58:56 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client Certificates - re-opening discussion
Thread-Index: AQHQ8ZZXEEnFRnQG4U+imwUG9Fc1t55ChnhKgAA9MwCAAAJwAIAArZ+AgAC4BACAAD7oMIABjocAgABckDCAAC8vAIAAaFsAgAALpACAAAQwgIAAEzaAgAAUngCAABV7gIAAEs2AgAACvACAAPlggIAA+9WAgACRfYCAAG55AIAACC4Q
Date: Wed, 23 Sep 2015 15:58:56 +0000
Message-ID: <CY1PR03MB13742717AB92BB68C127B57187440@CY1PR03MB1374.namprd03.prod.outlook.com>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de> <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com> <4456BAAA-125B-4038-AAC7-77A20F0C75B1@co-operating.systems> <C874EAAC-FF26-42C6-BB6C-5785A6508664@bblfish.net> <CY1PR03MB137427E0C66A2297C844DDBF87460@CY1PR03MB1374.namprd03.prod.outlook.com> <F2A23F97-E114-40D3-8691-84CB7B54A791@greenbytes.de> <E549D977-DC88-4E39-B65B-EE674E541157@mnot.net> <06F248CF-E092-4959-9784-11FA1FFD36A7@greenbytes.de> <CABkgnnVMzvKhFB_8EmE8Dj9m4_cOafWhyWXtUSwSXK_a9MdUbA@mail.gmail.com>
In-Reply-To: <CABkgnnVMzvKhFB_8EmE8Dj9m4_cOafWhyWXtUSwSXK_a9MdUbA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [67.182.144.191]
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1376; 5:J9VUONdC7KeYxIetvuYuRpl7nT2Ss89JodhCMBHzUAb7Iq8fPI5fSrTV2LvNEpuPBg8xnuPVSLpjjlKy6ylq38I/nIPohQJRMd1S6PE5m2ojxYkXpCDqhTli/o7SFZNYHYh1g0af5ybC3FEDeSKY/Q==; 24:b+AmFanbKoRKT4NXTCUecYHBGFQqYD7kVVG9TffYZ/SGmyMJjHvDb+p3tj+V9WtVZzeeibc2sAB75RKiEKvsxND71YhZtfIWkegK7CSPpcA=; 20:l7UNwt0+zF5vlBOQ6SMQQ/OVpT3vUx28KBDT5KMbeC+ufBK6Yp/BE49YPXvP/Wi+wAaUEAgLzAxf1I2NPD9VCA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR03MB1376;
x-microsoft-antispam-prvs: <CY1PR03MB1376518C17A59BDCCEA74F4087440@CY1PR03MB1376.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(5005006)(520078)(3002001)(61426024)(61427024); SRVR:CY1PR03MB1376; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1376;
x-forefront-prvs: 07083FF734
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(199003)(377454003)(24454002)(19580395003)(93886004)(106116001)(5002640100001)(81156007)(68736005)(77096005)(64706001)(16236675004)(19580405001)(8990500004)(2950100001)(10400500002)(5001770100001)(102836002)(97736004)(5004730100002)(5003600100002)(15975445007)(5001860100001)(2900100001)(66066001)(5007970100001)(99286002)(10290500002)(87936001)(11100500001)(86612001)(46102003)(40100003)(77156002)(5001830100001)(5005710100001)(101416001)(92566002)(10090500001)(76576001)(33656002)(4001540100001)(62966003)(76176999)(86362001)(189998001)(122556002)(74316001)(54356999)(50986999)(19300405004)(105586002)(19625215002)(19609705001)(5001960100002)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1376; H:CY1PR03MB1374.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR03MB13742717AB92BB68C127B57187440CY1PR03MB1374namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2015 15:58:56.6507 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1376
Received-SPF: pass client-ip=157.56.110.111; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bn1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-1.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: maggie.w3.org 1ZemS4-0007mn-Iw 848263b8b22e760f427d33a54d957945
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/CY1PR03MB13742717AB92BB68C127B57187440@CY1PR03MB1374.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30262
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I agree, it would have been nice to specify some level of scope on the HTTP_1_1_REQUIRED – but then again, the server code may not even know the scope of resources that trigger it, and fallback to HTTP/1.1 is always permissible.  If we receive H1R for one or more resources, we open a 1.1 connection and retry it/them.  If they succeed on 1.1, we’ll switch entirely to 1.1 for the remainder of that session.  (With some additional implementation-specific stuff around the client-cert case and not wanting to stall renegotiation waiting for UI.)

From: Martin Thomson [mailto:martin.thomson@gmail.com]
Sent: Wednesday, September 23, 2015 8:26 AM
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: Mark Nottingham <mnot@mnot.net>; HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: Client Certificates - re-opening discussion


On Sep 23, 2015 1:55 AM, "Stefan Eissing" <stefan.eissing@greenbytes.de<mailto:stefan.eissing@greenbytes.de>> wrote:
> One could advise a client that HTTP_1_1_REQUIRED indicates that the request uri ref indicates the server realm where this restriction applies. For Apache httpd at least, client cert renegotiation is a directory based configuration.

The notion that you might infer something about other resources based on some unspecified dissection of a URL and a response seems to fragile to be wise. That suggests something explicit, which leads back to 421.

> Further, a client thus falling back to HTTP/1.1 to trigger the proper TLS params, *could* try to "Upgrade:" to h2 again on the same request, given that all security requirements are fulfilled. This is outside the spec atm, right?

Yeah, TLS implies ALPN.

> (I had already one site with "421 Ping Pong" reported, where the client got a 421, teared down the connection, opened a new one, got a 421 on a later request, teared down again, opened exactly as in the beginning a new one... all this does not match exactly this case, but it shows that there are interop issues lurking.)

Redirect loops happen too, so I imagine that this can be handled in a catchall.

The ideal solution is to find ways to address all use cases in HTTP/2. For that, I agree that client authentication in response to a request will be needed.

v2.23.0 | Report a Bug | By Email