IETF Logo Mail Archive

FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

Mike Bishop <Michael.Bishop@microsoft.com> Tue, 26 January 2016 20:27 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CACC1B2CF6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jan 2016 12:27:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32j1FLHyO5eh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jan 2016 12:27:52 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B50991B2CF9 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jan 2016 12:27:52 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aOA9N-0004Fu-J4 for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jan 2016 20:23:41 +0000
Resent-Date: Tue, 26 Jan 2016 20:23:41 +0000
Resent-Message-Id: <E1aOA9N-0004Fu-J4@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1aOA9G-0004El-IW for ietf-http-wg@listhub.w3.org; Tue, 26 Jan 2016 20:23:34 +0000
Received: from mail-by2on0140.outbound.protection.outlook.com ([207.46.100.140] helo=na01-by2-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1aOA9D-0000MW-0c for ietf-http-wg@w3.org; Tue, 26 Jan 2016 20:23:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Cc5gBRU29qHGR8APnwQqoTkyhTZFqkgg3fIWLEwubL0=; b=L83PEVHf1I3qiaUOE14ssldx7VEQw3VujYGl1qTwJGS3X80P6nLFBeR7/9U8VE7k1EZWccQdknamBSHu73HmlHAwzKQrV4I7tBINCAp+1NajbE6QoM4Zvn3sSDqR66fBcYZ5Vtn1Mm0l/ntxoY81r5Y0OTe9OaHVf+6nTKpdgBU=
Received: from CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) by CY1PR03MB1375.namprd03.prod.outlook.com (10.163.16.29) with Microsoft SMTP Server (TLS) id 15.1.390.13; Tue, 26 Jan 2016 20:23:01 +0000
Received: from CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) by CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) with mapi id 15.01.0390.013; Tue, 26 Jan 2016 20:23:01 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: New Version Notification for draft-thomson-http2-client-certs-01.txt
Thread-Index: AQHRVWOAcftGZF4T1UaJdSueCSI/S58OO4GA
Date: Tue, 26 Jan 2016 20:23:00 +0000
Message-ID: <CY1PR03MB1374890E32B6F6CA2AB78D8D87D80@CY1PR03MB1374.namprd03.prod.outlook.com>
References: <20160122222315.28781.93913.idtracker@ietfa.amsl.com>
In-Reply-To: <20160122222315.28781.93913.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::375]
x-ms-office365-filtering-correlation-id: 7fea2fa7-f492-4a3e-287b-08d3268e7ccd
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1375; 5:wuM+NHj8OWfQzQBn6pc0h+GCniADlk02GF7gMq6u9Xg+pyolD6Y7hLmJz/R44UCs62C1y8pjLMDYyQM2ymxNeGjul6zauYH9AkqcnoFk5L4M9xBec1/LU9jnM7DEO9b+qTMPzCDgikiaUkXY3lc1rQ==; 24:ROi1qv6K6XL8RzzsEI1AnCAwXeQEXlJErUZES0nKgyt9uOk7+cEATCsrKkG3lMF02rVV9Ym/blkAkkZ0719e0yeahNbQTt/StRyqrXBE6hE=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1375; UriScan:;
x-microsoft-antispam-prvs: <CY1PR03MB13753C38A7C8F990E2AA8E0587D80@CY1PR03MB1375.namprd03.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:CY1PR03MB1375; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1375;
x-forefront-prvs: 08331F819E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377424004)(377454003)(189002)(199003)(13464003)(54356999)(19625215002)(5001960100002)(15975445007)(74316001)(10090500001)(2950100001)(76576001)(77096005)(110136002)(1220700001)(1096002)(102836003)(11100500001)(107886002)(2900100001)(106356001)(5008740100001)(586003)(50986999)(7110500001)(5002640100001)(3280700002)(101416001)(5003600100002)(106116001)(105586002)(76176999)(19300405004)(6116002)(33656002)(99286002)(81156007)(19617315012)(16236675004)(19580395003)(2420400006)(189998001)(97736004)(122556002)(19580405001)(5005710100001)(10290500002)(86612001)(2906002)(10400500002)(8990500004)(790700001)(450100001)(230783001)(5004730100002)(86362001)(40100003)(92566002)(10710500007)(3470700001)(87936001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1375; H:CY1PR03MB1374.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR03MB1374890E32B6F6CA2AB78D8D87D80CY1PR03MB1374namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2016 20:23:00.8997 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1375
Received-SPF: pass client-ip=207.46.100.140; envelope-from=Michael.Bishop@microsoft.com; helo=na01-by2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.427, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: maggie.w3.org 1aOA9D-0000MW-0c c6e51f6a186d11fd87ce7a1d42e48c05
X-Original-To: ietf-http-wg@w3.org
Subject: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt
Archived-At: <http://www.w3.org/mid/CY1PR03MB1374890E32B6F6CA2AB78D8D87D80@CY1PR03MB1374.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30999
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Based on feedback from this WG in Yokohama and on-list feedback from the TLS WG, Martin and I have a new (largely rewritten) version of the client cert draft.  As I promised Mark, people will hate it, but they will at least hate it in different ways than the previous version!



You can read the draft for the details, but here are the two high-level ideas that drove this version:

·         TLS 1.2 doesn't prohibit continuing to pass application data during a renegotiation, but nearly every implementation has that restriction and doesn’t intend to change it.  For a multiplexed protocol like HTTP/2, that’s not a good thing, and deploying fundamental changes to all TLS 1.2 implementations is on par with just making everyone upgrade to TLS 1.3.

·         We discussed in Yokohama why it’s not feasible to transparently replace cert auth with something at the HTTP semantic layer.  But the HTTP/2 framing layer has no such restriction.



This draft replicates the TLS 1.3 messages in HTTP/2 frames on stream zero instead – CertificateRequest (a CERTIFICATE_REQUEST frame), Certificate (one or more CERTIFICATE frames), and CertificateVerify (a CERTIFICATE_PROOF frame).  Because these are shared context in the session and need to be tied back to the streams, two more frames (CERTIFICATE_REQUIRED and USE_CERTIFICATE) exist to provide that stream-to-request link on each side.  It’s more frames than we wanted and we’ve argued them in circles, but each provides a useful property that we ultimately didn’t want to give up.  The result provides client certificate authentication for HTTP/2 regardless of the underlying TLS version (but does still require TLS).



In the current form, it maintains a couple of TLS 1.3 properties that may or may not be desirable, and we’re looking for feedback on those especially:

·         One CertificateRequest gets one Certificate (with chain) back, even if tied to multiple streams.  You can’t “split” a request and send different certs for different streams on which the server made the same request.  (You can refuse to link the cert back, though, and hope the server sends a fresh request, though.)

·         Martin says the TLS WG has agreed to remove spontaneous client authentication from TLS 1.3, so this draft doesn’t allow for the client to send a certificate the server hasn’t asked for yet.



With that as preface, it’s open for discussion!



-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
Sent: Friday, January 22, 2016 2:23 PM
To: Martin Thomson <martin.thomson@gmail.com>; Mike Bishop <Michael.Bishop@microsoft.com>
Subject: New Version Notification for draft-thomson-http2-client-certs-01.txt





A new version of I-D, draft-thomson-http2-client-certs-01.txt

has been successfully submitted by Mike Bishop and posted to the IETF repository.



Name:                  draft-thomson-http2-client-certs

Revision:              01

Title:                      Reactive Certificate-Based Client Authentication in HTTP/2

Document date:               2016-01-22

Group:                  Individual Submission

Pages:                   19

URL:            https://www.ietf.org/internet-drafts/draft-thomson-http2-client-certs-01.txt

Status:         https://datatracker.ietf.org/doc/draft-thomson-http2-client-certs/

Htmlized:       https://tools.ietf.org/html/draft-thomson-http2-client-certs-01

Diff:           https://www.ietf.org/rfcdiff?url2=draft-thomson-http2-client-certs-01



Abstract:

   Some HTTP servers provide a subset of resources that require

   additional authentication to interact with.  HTTP/1.1 servers rely on

   TLS renegotiation that is triggered by a request to a protected

   resource.  HTTP/2 made this pattern impossible by forbidding the use

   of TLS renegotiation.  While TLS 1.3 provides an alternate mechanism

   to obtain client certificates, this mechanism does not map well to

   usage in TLS 1.2.



   This document describes a how client authentication might be

   requested by a server as a result of receiving a request to a

   protected resource.









Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.



The IETF Secretariat

v2.23.0 | Report a Bug | By Email