IETF Logo Mail Archive

Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 24 June 2016 07:33 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC6312D9AA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Jun 2016 00:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.347
X-Spam-Level:
X-Spam-Status: No, score=-8.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-hgr3ZmI5R0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Jun 2016 00:33:12 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4B5A12D9A5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 24 Jun 2016 00:33:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bGLY7-0005ra-Aq for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Jun 2016 07:29:11 +0000
Resent-Date: Fri, 24 Jun 2016 07:29:11 +0000
Resent-Message-Id: <E1bGLY7-0005ra-Aq@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ilariliusvaara@welho.com>) id 1bGLY0-0005qt-VH for ietf-http-wg@listhub.w3.org; Fri, 24 Jun 2016 07:29:05 +0000
Received: from welho-filter4.welho.com ([83.102.41.26]) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <ilariliusvaara@welho.com>) id 1bGLXy-00037M-Jw for ietf-http-wg@w3.org; Fri, 24 Jun 2016 07:29:04 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id DAA8551E0 for <ietf-http-wg@w3.org>; Fri, 24 Jun 2016 10:28:34 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 0XWcSvpxdE_A for <ietf-http-wg@w3.org>; Fri, 24 Jun 2016 10:28:34 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 1E9082317 for <ietf-http-wg@w3.org>; Fri, 24 Jun 2016 10:28:34 +0300 (EEST)
Date: Fri, 24 Jun 2016 10:28:33 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20160624072833.GA6241@LK-Perkele-V2.elisa-laajakaista.fi>
References: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Received-SPF: none client-ip=83.102.41.26; envelope-from=ilariliusvaara@welho.com; helo=welho-filter4.welho.com
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=-0.786, BAYES_00=-1.9, RP_MATCHES_RCVD=-1.428, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bGLXy-00037M-Jw d526a2a7c79a2008682bbecaa24dfc9c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Archived-At: <http://www.w3.org/mid/20160624072833.GA6241@LK-Perkele-V2.elisa-laajakaista.fi>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31783
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Jun 24, 2016 at 10:41:03AM +1000, Mark Nottingham wrote:
> <https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs>
> 
> We've discussed carrying certificates and related artefacts in HTTP
> for a long time. This draft from Mike and Martin is an evolution of
> several previous approaches. 
> 
> Please state whether you support adoption, and ideally why.
> Expressions of interest in implementation would also be very helpful.

I have been arguing before that doing certificate authentication in
HTTP/2 safely requires HTTP-level coordination, and still hold this
view. This spec is one way to do it.

What I don't like is MUST not send USE_CERTFICATE without
CERTIFICATE_REQUIRED. This forces client that wants to maintain
the required control in order to safely mux across authoriteies to
eat extra RTT for every request (yes, it would be guessing without,
but likely highly accurate guessing[1]).

Also, with regard to certificate chains, there are still loads of
certificate chains that contain PKCS#1v1.5 signatures, and there will
likely be for forseeable future[2].


[1] Note that endpoints that deal with multiple authorities and
client certificates (e.g. browsers!) need to do such guessing today,
even for HTTP/1.1.


[2] Even if the signing certificate is not RSA, there might be RSA
signatures higher up. And even the signature from root certificate
"leaks" into second-highest certificate.


-Ilari

v2.23.0 | Report a Bug | By Email