IETF Logo Mail Archive

Re: FYI: proposal for client authentication in TLS

Yoav Nir <ynir.ietf@gmail.com> Tue, 11 March 2014 06:20 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452661A063E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Mar 2014 23:20:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.548
X-Spam-Level:
X-Spam-Status: No, score=-7.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiKJAwGhzXtM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 10 Mar 2014 23:20:00 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B22D41A0641 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 10 Mar 2014 23:19:59 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WNFzq-0001uv-3M for ietf-http-wg-dist@listhub.w3.org; Tue, 11 Mar 2014 06:17:02 +0000
Resent-Date: Tue, 11 Mar 2014 06:17:02 +0000
Resent-Message-Id: <E1WNFzq-0001uv-3M@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <ynir.ietf@gmail.com>) id 1WNFzY-0001sm-Tc for ietf-http-wg@listhub.w3.org; Tue, 11 Mar 2014 06:16:44 +0000
Received: from mail-we0-f175.google.com ([74.125.82.175]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <ynir.ietf@gmail.com>) id 1WNFzX-0005BB-Kw for ietf-http-wg@w3.org; Tue, 11 Mar 2014 06:16:44 +0000
Received: by mail-we0-f175.google.com with SMTP id q58so9591664wes.34 for <ietf-http-wg@w3.org>; Mon, 10 Mar 2014 23:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QaCd1nlAt1UcFxNl5f0HyRiV0M7WsVrAC0YNwosFBUs=; b=V2qEBvYINY0PR2fiS9J51GP+Tw2ILAdcNQzXri+Awqm4nhdp+a0o29g1xW7GOyoWY5 EVNWe+mx/8qiq3I+RHhAX+7lNNhRj2x92HSUP5usBRtOG0kn6FPEPyKLo9fJK2+aprIl AXS7B/I4ZVWdMd/rkUalop/y907XXwbvWvD+ZVJmT5zBbDCqVvUz+Jqugtk7ohu+ScQo 2NRmH5mGjPPQGlvR3L8TdPXDwJ+7WJ/dnPp1fnWapl9PTEsHSVwRqNw4TT7+ZE2wZkB0 YyF/+j6Sfra4qo/cmllBxaN7YOB3NsxPVer1eT+iuqgEAFH61nmBONgtWJfEXr7LP8rF rEFA==
MIME-Version: 1.0
X-Received: by 10.180.210.171 with SMTP id mv11mr1560478wic.44.1394518575714; Mon, 10 Mar 2014 23:16:15 -0700 (PDT)
Received: by 10.194.89.1 with HTTP; Mon, 10 Mar 2014 23:16:15 -0700 (PDT)
In-Reply-To: <CABkgnnWDu301rXkX2u-AhptkSEr9AJb3LGJ3wfvVbhD0Oy4H6g@mail.gmail.com>
References: <CABkgnnU1RMHN8sGsRc_KSw3+EutZnrrb-N=WpzP5wuqQ-ECe7Q@mail.gmail.com> <CABkgnnWDu301rXkX2u-AhptkSEr9AJb3LGJ3wfvVbhD0Oy4H6g@mail.gmail.com>
Date: Tue, 11 Mar 2014 08:16:15 +0200
Message-ID: <CAGvU-a57wsvyDf980psq7x5774YeRAM09OZM8_YwAdska=RABg@mail.gmail.com>
From: Yoav Nir <ynir.ietf@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c25d365697b104f44ea854"
Received-SPF: pass client-ip=74.125.82.175; envelope-from=ynir.ietf@gmail.com; helo=mail-we0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-0.8
X-W3C-Hub-Spam-Report: DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1WNFzX-0005BB-Kw 805184ca88c6460b13636db4eb427fad
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FYI: proposal for client authentication in TLS
Archived-At: <http://www.w3.org/mid/CAGvU-a57wsvyDf980psq7x5774YeRAM09OZM8_YwAdska=RABg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22614
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi, Martin

Thanks for writing these drafts. Three comments about this one:

1. I would prefer a special response code that says "go away and don't come
back without a certificate" rather than reusing 401, but that's just an
aesthetic issue, not substantive.

2. I'm wondering if the message sent to the client can be expanded enough
so that the browser sometimes does not need to pop up a certificate picker.
For example, suppose I use a certificate with DN "CN=ynir,OU=users" to log
in to my SSL-VPN portal. The portal has stored this information in my
browser via a cookie. If a string representation of this DN in sent in the
401 message, the browser can open the new connection without bothering the
user.

3. There is the issue of discovery. With current browsers (and TLS 1.0-1.2)
the server initiates a renegotiation. A new browser (with TLS 1.0-1.3)
would use this new mechanism. How does the server tell an old browser from
a new one?

Yoav



On Sun, Mar 9, 2014 at 9:37 AM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 8 March 2014 11:39, Martin Thomson <martin.thomson@gmail.com> wrote:
> > Pursuant to our discussion on TLS renegotiation, I've submitted part 1
> > of the solution I proposed as an internet draft.
> >
> > http://datatracker.ietf.org/doc/draft-thomson-tls-care/
> >
> > If we agree to a mechanism whereby we augment the 401 status code with
> > a "go away and make a new TLS connection with client authentication",
> > then this is necessary, so that the server knows to request a client
> > certificate.
>
> Now with part 2:
>
> http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/
>
>

v2.23.0 | Report a Bug | By Email