IETF Logo Mail Archive

Re: FYI: proposal for client authentication in TLS

"henry.story@bblfish.net" <henry.story@bblfish.net> Mon, 10 March 2014 09:18 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A97691A040F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Mar 2014 02:18:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.449
X-Spam-Level:
X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWwUqCR-zZ1r for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Mar 2014 02:18:47 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id C99D91A0440 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 10 Mar 2014 02:18:13 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WMwKl-0003Vr-E7 for ietf-http-wg-dist@listhub.w3.org; Mon, 10 Mar 2014 09:17:19 +0000
Resent-Date: Mon, 10 Mar 2014 09:17:19 +0000
Resent-Message-Id: <E1WMwKl-0003Vr-E7@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WMwKZ-0003V4-9H for ietf-http-wg@listhub.w3.org; Mon, 10 Mar 2014 09:17:07 +0000
Received: from mail-we0-f175.google.com ([74.125.82.175]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <henry.story@bblfish.net>) id 1WMwKY-0002BJ-0P for ietf-http-wg@w3.org; Mon, 10 Mar 2014 09:17:06 +0000
Received: by mail-we0-f175.google.com with SMTP id q58so8142051wes.20 for <ietf-http-wg@w3.org>; Mon, 10 Mar 2014 02:16:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=bEE6JxocjTh9/SuX44AY8tdq+TDPEsH4uYHpWt0CG4Q=; b=c8dzu5xlwo7tzTtNMdRIewyzfKUvlyRH+o44tYoRkzRKd8LEi2zK3wEOezG/WjDnT4 TuOsUPmFiqkklAa3qyuDMMHcKjJHcezo+26G7MdZu48yTgyViAm75J8c9KhPR5uPboBf PDnZi6ppUKh25trC/Jv5jr/n1WGt01v/a8d9i/0sVJit0nZx+45sD0IseWKbLpxqDdvf jE/sXzO7uPrbB6haNAKDJJPoRSJdEohg0AF3fjuMlWNwIfJXl1Nim533ONSRv9cbBAIc h6nBCfW8NB2SKrwjdd97GjL/t0Y5VNw12GpYlZ1FgGZDJc/7qjOZMAB4hcl/rwjjYvEs HYig==
X-Gm-Message-State: ALoCoQltlBZJi3i8Dq6zpjobgcRYfxzNV9IZ5TAQpnPeza+KKK6r6ouM1OOolDGSi0k8Ad1ywTay
X-Received: by 10.194.174.135 with SMTP id bs7mr40146wjc.94.1394442999627; Mon, 10 Mar 2014 02:16:39 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-65-22.w86-218.abo.wanadoo.fr. [86.218.56.22]) by mx.google.com with ESMTPSA id h9sm49109959wjz.16.2014.03.10.02.16.38 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Mar 2014 02:16:38 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <CABkgnnWDu301rXkX2u-AhptkSEr9AJb3LGJ3wfvVbhD0Oy4H6g@mail.gmail.com>
Date: Mon, 10 Mar 2014 10:16:01 +0100
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Tim Berners-Lee <timbl@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D44B737-BCB4-4EBF-A596-FC0DC6BDCD5C@bblfish.net>
References: <CABkgnnU1RMHN8sGsRc_KSw3+EutZnrrb-N=WpzP5wuqQ-ECe7Q@mail.gmail.com> <CABkgnnWDu301rXkX2u-AhptkSEr9AJb3LGJ3wfvVbhD0Oy4H6g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1874)
Received-SPF: none client-ip=74.125.82.175; envelope-from=henry.story@bblfish.net; helo=mail-we0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.095, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: lisa.w3.org 1WMwKY-0002BJ-0P 9eda44d828e23bd5b86d931202525039
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FYI: proposal for client authentication in TLS
Archived-At: <http://www.w3.org/mid/6D44B737-BCB4-4EBF-A596-FC0DC6BDCD5C@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22603
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 9 Mar 2014, at 08:37, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 8 March 2014 11:39, Martin Thomson <martin.thomson@gmail.com> wrote:
>> Pursuant to our discussion on TLS renegotiation, I've submitted part 1
>> of the solution I proposed as an internet draft.
>> 
>> http://datatracker.ietf.org/doc/draft-thomson-tls-care/
>> 
>> If we agree to a mechanism whereby we augment the 401 status code with
>> a "go away and make a new TLS connection with client authentication",
>> then this is necessary, so that the server knows to request a client
>> certificate.
> 
> Now with part 2:
> 
> http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/

I really like both of these.  I allready responded on the TLS mailing list
about draft-thomson-tls-care [1]. For draft-thomson-httbis-catch I would
like to suggest an improvement that would be essential for "self-signed"
or rather "unknown server signed" certificates, i.e., certificates signed
by some server that is not a CA. This allows for much more widespread
creation of client certificates, since they don't anymore need to be
verified by a few CAs, but instead allows the deployment of a web of
trust - a linked data web of trust to be precise. This allows one client
side certificate to be used to sign on to any web site.

A WebID is just an http(s) URL that refers to an Agent ( human, robot, 
organisation, ...) We have defined it in the spec "WebID 1.0" [2]. One
can then place a WebID in the Subject Alternative Name (SAN) field of an X509 
certificate as shown  in WebID Authentication over TLS [3] ( or even in the 
Issuer Alternative Name field (IAN)). The last spec relies on TLS as it is
currently, but would be redundant if draft-thomson-httpbis-catch went through.
(Until wide deployment of TLS1.3 which I suppose may take some time). 

Now I am not absolutely sure where this improvement I want to suggest, 
needs to be added: at the HTTP layer, or at the TLS layer. Currently TLS
allows a server to specify using the certificate_authorities list what
the list of Certificate Authorities the server accepts, so that the client
does not send Certificates that are not signed by one that is known to the server,
and which the server would then have to refuse.
But with WebID Authentication we don't need a CA, so it would be nice to be
able to specify that the server knows how to do WebID verification, ie part
5 and 6 of 
  http://www.w3.org/2005/Incubator/webid/spec/tls/#authentication-sequence
bB
If in TLS the server sends the empty certificate_authorities list. But that
is too wide, since that means the client can send ANY Certificate. The
server may not know what to do with most of them ( other than perhaps
identify the user indirectly by the public key, but that is only minimally
interesting - it does not allow one to build a web of trust ). 
 
My guess is that since this could evolve faster than the TLS layer, it may
be better if this were done in the HTTP header. So perhaps a header like

  WWW-Authenticate: ClientCertificate,SAN=WebID

would do. One could also imagine a 

  WWW-Authenticate: ClientCertificate,IAN=WebID

so that services with a lot of WebIDs could allow people to verify certificates
by verifying the issuer. A client seeing this would know that if the
server sent the empty certificate_authorities list, that it could filter its
available certificates by those that have the SAN or IAN fields filled in.

We have quite a few implementations of WebID on numerous servers, and in
pretty much every language, and we are finding it very useful. To get
a full overview of how this ties into a bigger picture including Web Access
Control, other authentication schemes, Linked Data Protocol,  etc... see our main 
intro page

  http://www.w3.org/2005/Incubator/webid/spec/

Hope this helps.

  Henry


[1] http://www.ietf.org/mail-archive/web/tls/current/msg11449.html
[2] http://www.w3.org/2005/Incubator/webid/spec/identity/
[3] http://www.w3.org/2005/Incubator/webid/spec/tls/

> 

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email