IETF Logo Mail Archive

Re: FYI: proposal for client authentication in TLS

Julian Reschke <julian.reschke@gmx.de> Tue, 11 March 2014 07:12 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57FF1A0696 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Mar 2014 00:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.449
X-Spam-Level:
X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjaW3HaLpxGD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Mar 2014 00:12:15 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6508D1A06AB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 11 Mar 2014 00:12:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WNGpq-0004Oa-Eu for ietf-http-wg-dist@listhub.w3.org; Tue, 11 Mar 2014 07:10:46 +0000
Resent-Date: Tue, 11 Mar 2014 07:10:46 +0000
Resent-Message-Id: <E1WNGpq-0004Oa-Eu@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1WNGpc-0004Ng-TT for ietf-http-wg@listhub.w3.org; Tue, 11 Mar 2014 07:10:32 +0000
Received: from mout.gmx.net ([212.227.15.19]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1WNGpb-0007Tf-Q5 for ietf-http-wg@w3.org; Tue, 11 Mar 2014 07:10:32 +0000
Received: from [192.168.2.117] ([84.187.63.218]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LbMmA-1X2LsU28VO-00kwuN; Tue, 11 Mar 2014 08:10:04 +0100
Message-ID: <531EB6CA.60007@gmx.de>
Date: Tue, 11 Mar 2014 08:10:02 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, Martin Thomson <martin.thomson@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <CABkgnnU1RMHN8sGsRc_KSw3+EutZnrrb-N=WpzP5wuqQ-ECe7Q@mail.gmail.com> <CABkgnnWDu301rXkX2u-AhptkSEr9AJb3LGJ3wfvVbhD0Oy4H6g@mail.gmail.com> <CAGvU-a57wsvyDf980psq7x5774YeRAM09OZM8_YwAdska=RABg@mail.gmail.com>
In-Reply-To: <CAGvU-a57wsvyDf980psq7x5774YeRAM09OZM8_YwAdska=RABg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:p26WFZ7KZUqUSko6rUDG5Xyp+cnyWZRP5wlG7N059Q6vtbZ6RMg yWdP3aOu1TsS8TJlJg5Mk1SkU8TjMjcrd0hvonBxd1xJssOhP16IHrjPO8gdDUjDjNqHNWk m0V2RaD6LoTcPMQVW8cC7Vgy+72K36f6MMEXAmGfePZEOOaMibG11oKaEiifebygW321Yen n0SJVqjPeaL2KNA2mVBfQ==
Received-SPF: pass client-ip=212.227.15.19; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-2.481, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1WNGpb-0007Tf-Q5 d7af03420da0986e73a6afc9c52eee56
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FYI: proposal for client authentication in TLS
Archived-At: <http://www.w3.org/mid/531EB6CA.60007@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22615
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2014-03-11 07:16, Yoav Nir wrote:
> Hi, Martin
>
> Thanks for writing these drafts. Three comments about this one:
>
> 1. I would prefer a special response code that says "go away and don't
> come back without a certificate" rather than reusing 401, but that's
> just an aesthetic issue, not substantive.

Why?

It seems to me that 401 is totally applicable here.

> 2. I'm wondering if the message sent to the client can be expanded
> enough so that the browser sometimes does not need to pop up a
> certificate picker. For example, suppose I use a certificate with DN
> "CN=ynir,OU=users" to log in to my SSL-VPN portal. The portal has stored
> this information in my browser via a cookie. If a string representation
> of this DN in sent in the 401 message, the browser can open the new
> connection without bothering the user.

<http://tools.ietf.org/html/draft-thomson-httpbis-catch-00#section-2> 
already says:

    A challenge with this auth-scheme does not define the use of any
    parameters other than "realm".  Other parameters MAY be used to
    provide a client with information it can use to select an appropriate
    certificate.  Unknown parameters MUST be ignored.

The question is whether the draft needs to be more specific.

> 3. There is the issue of discovery. With current browsers (and TLS
> 1.0-1.2) the server initiates a renegotiation. A new browser (with TLS
> 1.0-1.3) would use this new mechanism. How does the server tell an old
> browser from a new one?

In HTTP/2, we forbid renegotiation (I believe), that a UA that speaks 
HTTP/2 will know what to do. (But then, how does this work for 2.0<->1.1 
intermediation?)

Best regards, Julian

v2.23.0 | Report a Bug | By Email