IETF Logo Mail Archive

Re: Client-Cert Header draft

David Benjamin <davidben@chromium.org> Tue, 21 April 2020 20:17 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CB0F3A0943 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 21 Apr 2020 13:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pqmjdl2f16A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 21 Apr 2020 13:17:09 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522783A0942 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 21 Apr 2020 13:17:09 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQzHG-00035C-KS for ietf-http-wg-dist@listhub.w3.org; Tue, 21 Apr 2020 20:13:54 +0000
Resent-Date: Tue, 21 Apr 2020 20:13:54 +0000
Resent-Message-Id: <E1jQzHG-00035C-KS@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <davidben@google.com>) id 1jQzHF-00034M-7T for ietf-http-wg@listhub.w3.org; Tue, 21 Apr 2020 20:13:53 +0000
Received: from mail-pj1-x102e.google.com ([2607:f8b0:4864:20::102e]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <davidben@google.com>) id 1jQzHC-0000Ok-OG for ietf-http-wg@w3.org; Tue, 21 Apr 2020 20:13:53 +0000
Received: by mail-pj1-x102e.google.com with SMTP id a5so1082914pjh.2 for <ietf-http-wg@w3.org>; Tue, 21 Apr 2020 13:13:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9SObCLXHrGUBwhG2UoHnh1QEUmc6NlexJULWqbVzeZE=; b=YPxNdvLIXxifwq3CzYM3ZONlC+rJGwMedbC6EygZf18/zFeyCa/cjjzghQmFIXHRTq jPx3Mc8RKr3tomaxVLLL/8foLTMNct0/p8opNb6nFVpiut6q/wKhZdGHr4oBa/9O0gsi 6D6IPTzBrSXHOFgOD7j3inR315Lar8ZqfIshs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9SObCLXHrGUBwhG2UoHnh1QEUmc6NlexJULWqbVzeZE=; b=OgWU4Z4FvNO9EMXliOr91PsJwHFssS8BzAnbBeU0z4IAkjb4JXjws6AjV9ylfe3rb1 wULhWLk+ihEZjTPI+0coX+fnStFjr2XiibgpazUbHM8kAcRtyWggieK9LrLiXH/S3BL7 N8fg5fddeAcYB104kKHNkhkmvLD9FRl42ExgBgPnLoLGjT9yRgN3IYoPGChQoad7KSU1 83i+eLtIaDZMgJH9e77NJxphOmJ/TCVP0oiFV8ff7wiHxeBvy2ZGOHxJ2lmPYHpqtHxr U+Z9UZJGK+KxIUhJGljzolZqAaUiERJ50BGng5YnJfK47kFjsNw5rEXma5oI8CI0CFC8 PW8A==
X-Gm-Message-State: AGi0Pub04KfCOoTpo0AWl/W1nWI9Bk7aZ8yuY1uzsOfOFRgYdZN9jb9H kEghvt6wrbsB7bqQVS7i3QN+wGru2zU7gNAVZoBK
X-Google-Smtp-Source: APiQypLMRDAAQDJeue7TWCbASQ+iwnsteXNvVoAxC6fsljwK1ZorPHB+ju3luN1zI2Y00OEx70Fpeaud4vIKczs8cHo=
X-Received: by 2002:a17:902:b187:: with SMTP id s7mr24480649plr.0.1587500019042; Tue, 21 Apr 2020 13:13:39 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <CH2PR22MB208612E57276557568F843E2DAD90@CH2PR22MB2086.namprd22.prod.outlook.com> <CALGR9oaEiWBa3gqH1YiiqaQSprQ7XDAem8+VgD+qJq8KZwUv-A@mail.gmail.com> <CAF8qwaCeP-d4yhrRhdoqfjuPuEiXqeK1KZGXkdabM__LE-0vtQ@mail.gmail.com> <CA+k3eCS=z5ohQo4DQjs7CFPyDjXP3aV0gL+SZKfNhP1YREsbcg@mail.gmail.com>
In-Reply-To: <CA+k3eCS=z5ohQo4DQjs7CFPyDjXP3aV0gL+SZKfNhP1YREsbcg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 21 Apr 2020 16:13:22 -0400
Message-ID: <CAF8qwaAGrj4wP76aucqjZ_YthcAtB2K2xi4K6MD=0bfnEejq5Q@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Lucas Pardue <lucaspardue.24.7@gmail.com>, Mike Bishop <mbishop@evequefou.be>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000b7c04405a3d2a608"
Received-SPF: pass client-ip=2607:f8b0:4864:20::102e; envelope-from=davidben@google.com; helo=mail-pj1-x102e.google.com
X-W3C-Hub-Spam-Status: No, score=-11.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jQzHC-0000Ok-OG 0df8d361c2b7ae284abfa5d9b03bdd47
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CAF8qwaAGrj4wP76aucqjZ_YthcAtB2K2xi4K6MD=0bfnEejq5Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37534
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

HTTP 403 and especially application level controls do not work. While some
misconfigured servers do report the error outside TLS, they are
misconfiguration. As a client, we consider this scenario unsupported. The
poor caching behavior is on the server operator, as the defined mechanism
for reporting a TLS client certificate error, namely a TLS alert, was not
used.

We should not standardize a misconfiguration. Wanting to separate TLS
termination from access control is plausible, but any attempt to solve this
problem must be done holistically. This includes defining error-handling
and making sure it actually works.

On Mon, Apr 20, 2020 at 6:14 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Very true that connection-level authentication doesn't always play well
> with HTTP. But the intended scope of this draft isn't trying to address
> that. It's only trying to bring some commonality to what's typically done
> in practice now. I would think an HTTP 403 or even application level
> controls on content is what's happening now regardless. The approach in
> this draft does mean that authorization errors aren't going to be conveyed
> back to the client at the connection level but, as you point out, doing so
> is differently odd. So much so that I don't think the draft needs to do
> anything to facilitate it.
>
> On Fri, Apr 17, 2020 at 3:12 PM David Benjamin <davidben@chromium.org>
> wrote:
>
>> This draft isn't sufficient to properly move the access checks out of the
>> TLS terminator. More care is needed here. There is a "distaste for client
>> certificates from some quarters" for a reason.
>>
>> In general, connection-level authentication does not play well with HTTP.
>> Server identities are generally public, so there is no complex policy
>> around when to release them. Client identities are generally user
>> identities and thus sensitive, with local policies, usually involving user
>> prompts and selections. That interacts badly with client certificates. It
>> just barely works today, but moving individual components without thought
>> as to the overall picture will break it.
>>
>> In particular, client HTTP stacks necessarily cache client certificate
>> decisions. Without caching, the user is potentially prompted on every HTTP
>> request, but a user session involves many HTTP requests. Additionally, the
>> decision is inherently cached by way of connection reuse and session
>> resumption optimizations. Short of forcing a full TLS handshake on every
>> HTTP request, clients could not prompt on every HTTP request if they wanted
>> to. That means the HTTP stacks need an explicit signal, or no amount of
>> reloads will allow the user to select a different identity.
>>
>> Currently, the only signal for a bad client certificate is a fatal TLS
>> alert. If the access checks are moved, bad client certificate signals will
>> come out of the origin server, which cannot generate those. This draft may
>> need to define a suitable HTTP 4xx code to correspond with TLS client
>> certificate authentication. Of course, existing clients won't know to
>> process that, but perhaps the origin server should translate to a TLS
>> alert? But then the response is never delivered, which may be differently
>> odd. Then one must consider the interaction with HTTP/2, which multiplexes
>> streams and potentially multiple origins together.
>>
>> There may be further problems here that I haven't thought through. The
>> suggestion of this enabling finer-grained access control worries me.
>>
>> On Fri, Apr 17, 2020 at 3:29 PM Lucas Pardue <lucaspardue.24.7@gmail.com>
>> wrote:
>>
>>> +1 to everything Mike said
>>>
>>> On Fri, 17 Apr 2020, 20:24 Mike Bishop, <mbishop@evequefou.be> wrote:
>>>
>>>> Despite the distaste for client certificates from some quarters, they
>>>> are still both used and useful.  I’m certainly interested in seeing this
>>>> progress.
>>>>
>>>>
>>>>
>>>> In today’s situation, the intermediary checks that the cert matches the
>>>> rules it has been given to authenticate clients, and only forwards the
>>>> requests from valid clients.  Arguably, the origin is offloading less trust
>>>> in this draft’s model – the intermediary is responsible for validating that
>>>> the client possesses the claimed certificate, but might leave the origin to
>>>> decide what scope of access the certificate actually grants.  That allows
>>>> finer-grained access control, but also allows greater ability to send
>>>> requests back to the origin.  It also opens the door for intermediaries
>>>> which don’t support this header to accidentally forward requests containing
>>>> it.  Requiring intermediaries to drop it doesn’t get you much, since only
>>>> those intermediaries aware of the spec will comply by dropping the header.
>>>> To help address these, I’d like to see this mix in something that the
>>>> intermediary holds and the client doesn’t, such as an exporter from its TLS
>>>> connection to the server.
>>>>
>>>>
>>>>
>>>> But all that is refinement – the core concept here is beneficial, and
>>>> I’d like to see more engagement here.
>>>>
>>>>
>>>>
>>>> *From:* Brian Campbell <bcampbell@pingidentity.com>
>>>> *Sent:* Wednesday, April 15, 2020 5:01 PM
>>>> *To:* HTTP Working Group <ietf-http-wg@w3.org>
>>>> *Subject:* Client-Cert Header draft
>>>>
>>>>
>>>>
>>>> Hello HTTP Working Group,
>>>>
>>>>
>>>>
>>>> I've somewhat inadvertently found myself working on this draft
>>>> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/,
>>>> which aspires to define a "Client-Cert" HTTP header field that allows a TLS
>>>> terminating reverse proxy to convey information about the client
>>>> certificate of a mutually-authenticated TLS connection to an origin server
>>>> in a common and predictable manner.
>>>>
>>>>
>>>>
>>>> I presented the concept
>>>> <https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00>
>>>> at the recent virtual IETF 107 secdispatch meeting
>>>> <https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00>
>>>> and the outcome from that was basically that there seems to be some
>>>> interest in pursuing the work and the suggestion that the conversation be
>>>> taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the
>>>> work progresses). And that's what brings me here. I also hope to get a
>>>> little bit of time at one of the upcoming virtual interims to
>>>> present/discuss the draft.
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Brian
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited..
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>>
>>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email