IETF Logo Mail Archive

RE: Client certificates in HTTP/2

Mike Bishop <Michael.Bishop@microsoft.com> Thu, 03 September 2015 20:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A182E1B324A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Sep 2015 13:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7JWtHtsK8ws5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Sep 2015 13:08:30 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FBA61B47E5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 3 Sep 2015 13:08:30 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZXakn-000781-N8 for ietf-http-wg-dist@listhub.w3.org; Thu, 03 Sep 2015 20:05:01 +0000
Resent-Date: Thu, 03 Sep 2015 20:05:01 +0000
Resent-Message-Id: <E1ZXakn-000781-N8@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ZXakg-00077G-Lp for ietf-http-wg@listhub.w3.org; Thu, 03 Sep 2015 20:04:54 +0000
Received: from mail-bl2on0142.outbound.protection.outlook.com ([65.55.169.142] helo=na01-bl2-obe.outbound.protection.outlook.com) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1ZXakf-000362-57 for ietf-http-wg@w3.org; Thu, 03 Sep 2015 20:04:54 +0000
Received: from BN3PR0301MB1249.namprd03.prod.outlook.com (10.161.207.25) by BN3PR0301MB1251.namprd03.prod.outlook.com (10.161.207.27) with Microsoft SMTP Server (TLS) id 15.1.231.21; Thu, 3 Sep 2015 20:04:25 +0000
Received: from BN3PR0301MB1249.namprd03.prod.outlook.com ([10.161.207.25]) by BN3PR0301MB1249.namprd03.prod.outlook.com ([10.161.207.25]) with mapi id 15.01.0262.011; Thu, 3 Sep 2015 20:04:25 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>, Yoav Nir <ynir.ietf@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client certificates in HTTP/2
Thread-Index: AQHQooro5C5BMiM9y0mRQrw2laAAg54rZE2AgABc5nA=
Date: Thu, 03 Sep 2015 20:04:24 +0000
Message-ID: <BN3PR0301MB1249C7C0D9068EB89F557FC987680@BN3PR0301MB1249.namprd03.prod.outlook.com>
References: <2EA3403F-E8D6-42E4-94BD-B7975D73B394@gmail.com> <31D74F06-8C24-4389-A983-D29B0F09D80A@bblfish.net>
In-Reply-To: <31D74F06-8C24-4389-A983-D29B0F09D80A@bblfish.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::f7]
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1251; 5:/XGbgVKQq0XSRlIiK3ndw+OeEDx/tdorMSvdd+81YiEtNkKW6N7nRqTDSEI+jqdH67IE4whbFJmXwxLELRNZ1WDGRDKm0kFAyWi9gja2pvL1aO9h88eEuJtCTwQ0nQD9wHUK/BcbGUuIfNkXS5vB+w==; 24:s7Nxc2Ybvgwn4Vm+1NQ3DIxhxtK14fHKjBHtH4H7e8nm9cZWIifEvdv16hE/ecjfaTxZA468cUJGTXwjJqRFxQpNwMimuxa4yZWbWs49teY=; 20:4EahD24IuRV/Upc9HMGUlH81PsWlQUcac7MaNe+nEwM5zApNj8WKzhWnfmF0B9RAH3wMQ2AynGvvzURYhNrGNQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1251;
x-microsoft-antispam-prvs: <BN3PR0301MB12511F4DFE4CBEBD78D993AC87680@BN3PR0301MB1251.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(8121501046)(5005006)(3002001); SRVR:BN3PR0301MB1251; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1251;
x-forefront-prvs: 0688BF9B46
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(189002)(24454002)(199003)(52044002)(86362001)(77156002)(101416001)(8990500004)(54356999)(87936001)(106356001)(50986999)(5004730100002)(86612001)(5001960100002)(189998001)(99286002)(33656002)(19580395003)(15395725005)(97736004)(5007970100001)(76176999)(68736005)(5001860100001)(40100003)(62966003)(5003600100002)(2501003)(5002640100001)(92566002)(122556002)(5001830100001)(105586002)(77096005)(10090500001)(2950100001)(4001540100001)(19580405001)(102836002)(64706001)(5005710100001)(81156007)(10290500002)(5001770100001)(10400500002)(74316001)(15975445007)(2900100001)(106116001)(46102003)(76576001)(3826002)(336755003)(18886065003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1251; H:BN3PR0301MB1249.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2015 20:04:24.9577 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1251
Received-SPF: pass client-ip=65.55.169.142; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bl2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.457, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: lisa.w3.org 1ZXakf-000362-57 befa8865ac4cbad4b7572f48b0d3eca7
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client certificates in HTTP/2
Archived-At: <http://www.w3.org/mid/BN3PR0301MB1249C7C0D9068EB89F557FC987680@BN3PR0301MB1249.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30175
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

There is also a pull request around adding client certificate support to TLS outside of renegotiation.  That can be found at: https://github.com/tlswg/tls13-spec/pull/209.  I think this is the best path forward -- maintaining the behavior in TLS and keeping the interaction consistent.  It does still leave us with the discussion of what to do in 1.2, but it sets the right path for the future.

There was some post-WG discussion that this PR should be split in two; one piece creating the new client cert mechanism and one piece expanding the ability to specify which certificate the server wants.  There's still work to be done here before it actually goes in, but this is a glimpse of the direction the TLS WG is moving.

-----Original Message-----
From: henry.story@bblfish.net [mailto:henry.story@bblfish.net] 
Sent: Thursday, September 3, 2015 7:28 AM
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: Client certificates in HTTP/2

I would like to point out that there is a discussion at the W3C Technical Architecture Group started by Tim Berners Lee relating to client certificates in the browser and authentication, following attempts by the WHATWG to deprecate the <keygen> functionality.

  https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html

A good story about how one could authenticate in HTTP/2.0 using client certificates ( whatever form they take, be the JOSE or ASN1. ) would be extreemly helpful.

( I suppose there is a need to tie this into TLS to avoid man in the middle servers attacks like the secure resumption attack https://www.secure-resumption.com/ . Is that what the talk about "certificate slots" in SPDY is about? ) 

> On 9 Jun 2015, at 09:58, Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
> Hi
> 
> Long time ago there was a long discussion about using client certificates on the web with HTTP/2. Feel free to skip the next paragraph if you remember the issue.
> 
> Most of the web does not use client certificates. Websites that do don’t like users to get a certificate picker when they first land on the page. So what they do is protect the site with regular, server-authenticated TLS and have a landing page. On the landing page there’s going to be something clickable that says “login with certificates”. When the user clicks that, it sends a request for some resource (maybe “/loginWithCerts.html”). When the server gets that request, it triggers the TLS layer to re-negotiate, this time with the certificate request message that causes the certificate picker to pop up. This is the way it’s usually done in HTTP/1, but for HTTP/2, section 9.2.1 prohibits this use or renegotiation and hints at future specification that might provide this.
> 
> So a year ago Martin Thomson wrote a pair of draft for solving this: one an HTTP authentication scheme that just says, “go away and come back with a certificate”, while the other is a TLS extension that tells the server that the client would like to authenticate:
> https://tools.ietf.org/html/draft-thomson-httpbis-catch-00
> https://tools.ietf.org/html/draft-thomson-tls-care-00
> 
> Neither was adopted, here or at TLS, so currently HTTP/2 is not usable with mutual authentication. Why has this (useful IMO) extension withered on the vine rather than progressed?  If anyone needs help in pushing this along, I’ll be glad to help.
> 
> Yoav
> 
> 

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email