IETF Logo Mail Archive

Re: Client-Cert Header draft

"Soni L." <fakedme+http@gmail.com> Mon, 20 April 2020 22:27 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 625F33A11B7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 15:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.849
X-Spam-Level:
X-Spam-Status: No, score=-0.849 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovAEPU5da1-c for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 15:27:24 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EA383A11B2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Apr 2020 15:27:24 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQese-0004m7-KA for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Apr 2020 22:27:08 +0000
Resent-Date: Mon, 20 Apr 2020 22:27:08 +0000
Resent-Message-Id: <E1jQese-0004m7-KA@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1jQesd-0004lL-6E for ietf-http-wg@listhub.w3.org; Mon, 20 Apr 2020 22:27:07 +0000
Received: from mail-vs1-xe29.google.com ([2607:f8b0:4864:20::e29]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1jQesa-0001Lc-L9 for ietf-http-wg@w3.org; Mon, 20 Apr 2020 22:27:07 +0000
Received: by mail-vs1-xe29.google.com with SMTP id l25so4499128vso.6 for <ietf-http-wg@w3.org>; Mon, 20 Apr 2020 15:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=H2l1/QVFZKLAlT0KSenipHPuE87ksxErMYLDx4mbhCI=; b=WX0xcgbdmj43ummVura+ix1w4g4y9ZE6QLe1fzzHFLJf+XhqAI1TtdhNIpvEyR/O2X 5JX5mVeNF9lqkatbNrrhoyHPUBwiO1oy4COO4lPNwXsttLFva6zmpmS+8xq5iUxF7OlB TUMSyZnali9G6+napbGhTnEpdQEQfmE9E39PRwRJZXECIwk1b7dTR7JeIID5pNiVlS8n y2E0+sctEDzIYZ70PorFz9PfFwJc2iOq2+ySOfu3TJvXAT7SmGxoUu/vUIs4XmRTThVP N9BV0sGaPYvwxHlm39WbsrOEujRcTMGSyK0iCfv3u5M5EQdKAKpxGseYZJPJaR9dNbgX e4KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language; bh=H2l1/QVFZKLAlT0KSenipHPuE87ksxErMYLDx4mbhCI=; b=HEe8ThFKsWAxFDwulYxANwFm1Z+DqRJiWzEy37B0F/VCsIIRcBdjymvCkR9+grV2Aq rkDLakDnOqAn6Bj+5r/+dSxd6nRnOQE3xU+VeMKi6BwZrFrEBAlAmxkh+qYtzClcE3Sq uhC47JIm3yY8gRj2sigCP/w4/k8BbeDvqoxFD18RWGrZOg/G/9lsvChA337rViAaJVN3 x1YGca5L7d7t0ZNgTfbA2X0K9SE82IhW0a8Is0soHiZxaAx8iicTjrVa9t1BMVMNxsZH Ah4udHVdWb8B6KJuBvV7LtrCrDRIRfTzAcwlTkJFICedKGHBBuW1w7lB9Bx99t0cCmem X9qQ==
X-Gm-Message-State: AGi0PuYFRsN82++BMlr0jGbs3fynurE1cSwRAyRVQlM8pJ35+alGJHSz UfDFzasMLQWO0TGts3LQBwzQRZGa
X-Google-Smtp-Source: APiQypKoGshYBmkxFkTynBhCy2QdVi0ElIu6l9OUTtn/6Akhrd2pJwjeRPjgL5gdR+zMilFQ+A5Pxw==
X-Received: by 2002:a67:eb84:: with SMTP id e4mr13616480vso.8.1587421611905; Mon, 20 Apr 2020 15:26:51 -0700 (PDT)
Received: from ?IPv6:2804:431:d77d:d864:2e0:4bff:fe37:ec7? ([2804:431:d77d:d864:2e0:4bff:fe37:ec7]) by smtp.googlemail.com with ESMTPSA id x8sm278918uai.6.2020.04.20.15.26.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 Apr 2020 15:26:51 -0700 (PDT)
Sender: "Soni L." <fakedme@gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu> <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com> <CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com>
From: "Soni L." <fakedme+http@gmail.com>
Message-ID: <c2ea39c4-904f-7c15-b45f-b8b5bf96ad8d@gmail.com>
Date: Mon, 20 Apr 2020 19:26:48 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------AB178E293E3284F8E50D45BE"
Content-Language: en-US
Received-SPF: pass client-ip=2607:f8b0:4864:20::e29; envelope-from=fakedme+http@gmail.com; helo=mail-vs1-xe29.google.com
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jQesa-0001Lc-L9 b3c719be5d364b3a50cc2dbc11d702a0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/c2ea39c4-904f-7c15-b45f-b8b5bf96ad8d@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37527
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

you'd still have a reverse proxy that's terminating TLS and talking HTTP 
with the backend.

you'd just also have a way for that reverse proxy to pass a raw TLS 
stream through, so the client can talk HTTPS with the backend when 
needed. it'd still be in the middle of the connection and fully capable 
of terminating it if it detects potentially abusive behaviour.

On 2020-04-20 7:20 p.m., Brian Campbell wrote:
> That's really quite different than the intended scope of the draft, 
> which was/is a reverse proxy that's terminating TLS (from the client's 
> perspective anyway) and taking HTTP with the backend.
>
> On Fri, Apr 17, 2020 at 3:25 PM Soni L. <fakedme+http@gmail.com 
> <mailto:fakedme%2Bhttp@gmail.com>> wrote:
>
>     if I may, I'd like to suggest a websocket-like mechanism that's
>     initiated by TLS terminators.
>
>     if the TLS terminator thinks a request needs to reach the server,
>     it can let the client request directly from the server that way,
>     including client certs and whatnot. if done right, this would also
>     allow protection of other sensitive user data (e.g. direct
>     messages) from the TLS terminator.
>
>     On 2020-04-17 5:58 p.m., Justin Richer wrote:
>>     +1 for seeing this adopted and progressing within this group.
>>     This is a simple thing that different developers have had to
>>     solve for decades and each has solved it in trivially different
>>     ways. I would love to see one commonly-accepted way to do this.
>>
>>     TLS terminators aren’t going away any time soon, so I think we
>>     should make them at least a bit more manageable.
>>
>>      — Justin
>>
>>>     On Apr 15, 2020, at 5:01 PM, Brian Campbell
>>>     <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>>>     wrote:
>>>
>>>     Hello HTTP Working Group,
>>>
>>>     I've somewhat inadvertently found myself working on this draft
>>>     https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/,
>>>     which aspires to define a "Client-Cert" HTTP header field that
>>>     allows a TLS terminating reverse proxy to convey information
>>>     about the client certificate of a mutually-authenticated TLS
>>>     connection to an origin server in a common and predictable manner.
>>>
>>>     I presented the concept
>>>     <https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00>
>>>     at the recent virtual IETF 107 secdispatch meeting
>>>     <https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00>
>>>     and the outcome from that was basically that there seems to be
>>>     some interest in pursuing the work and the suggestion that the
>>>     conversation be taken to the HTTPbis WG (and also keep TLS WG
>>>     involved - presumably if the work progresses). And that's what
>>>     brings me here. I also hope to get a little bit of time at one
>>>     of the upcoming virtual interims to present/discuss the draft.
>>>
>>>     Thanks,
>>>     Brian
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>     privileged material for the sole use of the intended
>>>     recipient(s). Any review, use, distribution or disclosure by
>>>     others is strictly prohibited..  If you have received this
>>>     communication in error, please notify the sender immediately by
>>>     e-mail and delete the message and any file attachments from your
>>>     computer. Thank you./
>>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./

v2.23.0 | Report a Bug | By Email