Re: Client Certificates - re-opening discussion
"henry.story@bblfish.net" <henry.story@bblfish.net> Fri, 18 September 2015 18:15 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11621B2F8C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 18 Sep 2015 11:15:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L61v0THWRvs1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 18 Sep 2015 11:15:29 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A6571B2F86 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 18 Sep 2015 11:15:29 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zd08b-0003EU-Hi for ietf-http-wg-dist@listhub.w3.org; Fri, 18 Sep 2015 18:11:57 +0000
Resent-Date: Fri, 18 Sep 2015 18:11:57 +0000
Resent-Message-Id: <E1Zd08b-0003EU-Hi@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <henry.story@bblfish.net>) id 1Zd08W-0003De-7r for ietf-http-wg@listhub.w3.org; Fri, 18 Sep 2015 18:11:52 +0000
Received: from mail-wi0-f180.google.com ([209.85.212.180]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <henry.story@bblfish.net>) id 1Zd08U-0003fj-Ky for ietf-http-wg@w3.org; Fri, 18 Sep 2015 18:11:51 +0000
Received: by wiclk2 with SMTP id lk2so74646316wic.0 for <ietf-http-wg@w3.org>; Fri, 18 Sep 2015 11:11:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=VzztyX5bpQRxVLvNUcw3+vZLjgUicOOZhp7xn0VGN/w=; b=jsjU1yzSYH/aakat/fgWa9DvfXWVi9ChV4/iy5RO/2BEtpf1vUKzflKa4qH4eouIJh bBeV5WSDam1qxdQpHkqjHca1fy4Z7WNq18BV8dRNEyqQrbyRsIzGvRwREKVB/OzI0HX3 zM1NQqS1ZdiqatMtZoe++TDVocep6r/XV0nXiOOiHfblEwlrOBIY7hRB/RmuAK7gMIR7 YNl9jnrF+NgdGESHJyqRtpSVCpyZiXBHgrm7P+T3LNoFy+u/rXloiQ6/IklLSG2mY1WL cu274ckQvjjZXaS51DlCfH6L9QH8o1jCkPLfdCEMFx8cijfy1aTMk2KIaZjqGzYEocpj DZDg==
X-Gm-Message-State: ALoCoQmwOZdesCbi/9fruebzTuTwDBqeHjCyEt+oWRYilr6z54n+H7eJk8miVwIOulyFhGJi9Jzl
X-Received: by 10.194.5.35 with SMTP id p3mr9994797wjp.132.1442599882935; Fri, 18 Sep 2015 11:11:22 -0700 (PDT)
Received: from [192.168.0.2] (cpc2-popl3-2-0-cust563.13-2.cable.virginm.net. [86.21.242.52]) by smtp.gmail.com with ESMTPSA id wc12sm4066386wic.18.2015.09.18.11.11.21 for <ietf-http-wg@w3.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 18 Sep 2015 11:11:21 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <20150918174530.GA9394@LK-Perkele-VII>
Date: Fri, 18 Sep 2015 19:11:20 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <FAA0B16A-C985-4741-91AB-2B08001100A8@bblfish.net>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <20150918174530.GA9394@LK-Perkele-VII>
To: HTTP Working Group <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.2104)
Received-SPF: none client-ip=209.85.212.180; envelope-from=henry.story@bblfish.net; helo=mail-wi0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: AWL=0.463, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Zd08U-0003fj-Ky 4b17915c2f403e7b7c9e1f4dee95fdec
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/FAA0B16A-C985-4741-91AB-2B08001100A8@bblfish.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30218
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> On 18 Sep 2015, at 18:45, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > > On Thu, Sep 17, 2015 at 06:10:49PM -0400, Mark Nottingham wrote: >> Hi, >> >> We've talked about client certificates in HTTP/2 (and elsewhere) >> for a while, but the discussion has stalled. >> >> If you have a proposal or thoughts that might become a proposal >> in this area, please brush it off and be prepared. Of course, we >> can discuss on-list in the meantime. > > Basically, the ways I know one could do client certs in HTTP/2 have > both been floated before: > > 1) Signal about client cert being needed, client can establish > new connection for the authenticated stuff. > > 2) Do client cert at HTTP level, using the usual HTTP authentication > headers and TLS channel binding mechanisms[1] (but certificates > themselves require some special handling, due to size[2]). > > > [1] SPDY/3 did something like this, except with its own frame > types. > > [2] Bit crazy idea: PUT with .well-known resource. You mean: don't send the certificate, link to it on the web? Then you are close to WebID-TLS http://www.w3.org/2005/Incubator/webid/spec/ WebID-TLS only published the public key, but one could also publish the full certificate. ( people had suggested that before, but we were waiting for larger use cases to consider it ) The advanage following that pattern is you put the certificate anywhere you like, not just in .well-known. You can think of the WebID-profile document as a certificate linked on the web. Then we are close to the WebID-RSA and HTTP-signature proposals I mentioned earlier, but Mark pointed out that its out of scope in this thread. I could open another thread to discuss those when/if people are interested. Henry > > > -Ilari > Social Web Architect http://bblfish.net/
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton