IETF Logo Mail Archive

Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2

Martin Thomson <martin.thomson@gmail.com> Mon, 27 June 2016 02:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB7912D57B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 26 Jun 2016 19:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.447
X-Spam-Level:
X-Spam-Status: No, score=-8.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nlRJkNTWSF-z for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 26 Jun 2016 19:11:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9129112D589 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 26 Jun 2016 19:11:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bHLxM-0004fT-DZ for ietf-http-wg-dist@listhub.w3.org; Mon, 27 Jun 2016 02:07:24 +0000
Resent-Date: Mon, 27 Jun 2016 02:07:24 +0000
Resent-Message-Id: <E1bHLxM-0004fT-DZ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1bHLxD-0004dh-6P for ietf-http-wg@listhub.w3.org; Mon, 27 Jun 2016 02:07:15 +0000
Received: from mail-qt0-f169.google.com ([209.85.216.169]) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1bHLx8-0000TM-1L for ietf-http-wg@w3.org; Mon, 27 Jun 2016 02:07:12 +0000
Received: by mail-qt0-f169.google.com with SMTP id f89so16175884qtd.2 for <ietf-http-wg@w3.org>; Sun, 26 Jun 2016 19:06:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mJkKA1rAK5Xsi8ywUUBbvuoEkOWCxa0SzWuq4esx7Co=; b=SO94WkRAjUNghhk7+wBN35fOCcRbwS+cq9s3zLbi9iE5Z6oJWDvF9yY/2dQIv2+O8V OZsFdP44oMdFBCOy0JOLA59P0IaQK7iHuSjKFb4s6NPgsbdcb8OSi/A0n2JmxICz4U+A /5B0r1VnLeqAOczZ9uy1dHFvAB69QgSHzyGgUQ8J8ZEl5AOm+9+LLJiddB2RAT7bOHUf vZB76jAfO5miBp2+puODsRZam9zu8FzL6QjEi2x2659t/U4+Uv/CxjRa124JImjx+jaF Wl0Nekkp6ep0FzZAXVnQvr/+cV02shPbWcMlISLPm/mrvrRpmol3PET5d5csSrkrWLr5 aEJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mJkKA1rAK5Xsi8ywUUBbvuoEkOWCxa0SzWuq4esx7Co=; b=MBY1M8pC64PWVFG7Jpzem1l4jYE3rEsGVS6YKZUQrSeEwWns/oyyKb1KCIQioDf7El 8rEe4sZHjIN+BnMdNSB2VcVTSA83uuHes+0f/fdjYGwIX8tkgvY9JKq0hcJrGKqtRmBD EjQJ0YV7Xwr9PV+xf129wkmN5aDS0halkKL/m9gia1S0yq/8cT2Ojh+Ck81dWZJPUtG/ amEYGJbJOMzD0i3U+KSjq6O0Lj4HhXiH5by1ozpC97Xk/KZOWDqH00aglq72rvjWcFkZ s9IlhKaKIverqKRvqHqIHznX0SIGbEMVdTagHoTyyTteRvAaVOqRVpyoSeiGM03uA+4v YMWA==
X-Gm-Message-State: ALyK8tLbtaPVCucV8TFAfrbgGbN7YBISPGGHmonM3sJVv6V2hEWBsVj730K5HRvTR27NOjxekmfglWMnwx1OfQ==
X-Received: by 10.200.44.136 with SMTP id 8mr20915604qtw.18.1466993203783; Sun, 26 Jun 2016 19:06:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.38 with HTTP; Sun, 26 Jun 2016 19:06:43 -0700 (PDT)
In-Reply-To: <20160624072833.GA6241@LK-Perkele-V2.elisa-laajakaista.fi>
References: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net> <20160624072833.GA6241@LK-Perkele-V2.elisa-laajakaista.fi>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 27 Jun 2016 12:06:43 +1000
Message-ID: <CABkgnnWS0oA=OK7PScBEU6SBEu5DFpqSZAgWL1VpGBfLGOZhFA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.216.169; envelope-from=martin.thomson@gmail.com; helo=mail-qt0-f169.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.833, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bHLx8-0000TM-1L bc27b2014a7009da99a8e5a71872d0e3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Archived-At: <http://www.w3.org/mid/CABkgnnWS0oA=OK7PScBEU6SBEu5DFpqSZAgWL1VpGBfLGOZhFA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31792
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 24 June 2016 at 17:28, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>
> What I don't like is MUST not send USE_CERTFICATE without
> CERTIFICATE_REQUIRED. This forces client that wants to maintain
> the required control in order to safely mux across authoriteies to
> eat extra RTT for every request (yes, it would be guessing without,
> but likely highly accurate guessing[1]).

This is something I'm not entirely happy with myself.  Hopefully we
can find some way that we can define an interaction that doesn't
require both the extra round trip AND the complexity.  As Cory notes,
this is more complex than ideal.

> Also, with regard to certificate chains, there are still loads of
> certificate chains that contain PKCS#1v1.5 signatures, and there will
> likely be for forseeable future[2].

That's fine.  But we are explicitly not saying what is permitted in
the certificate chain, we are only saying what *this* protocol can
carry.  (In my opinion, saying that signature_algorithms also applies
to signatures on certificates is a mistake in TLS; and we we don't
need to replicate that.)

On 25 June 2016 at 21:44, Nick Sullivan <nicholas.sullivan@gmail.com> wrote:
> There are still some open questions about whether the use of the SETTINGS
> frame and the creation of two additional IANA registries is preferable to
> the use of an Extended SETTINGS
> (https://datatracker.ietf.org/doc/draft-bishop-httpbis-extended-settings/)
> frame and the existing TLS Extensions IANA registry. However, I think this
> can be resolved here.

I agree.   For the record, we should have built h2 settings like in
Mike's draft in the first place, but retrofitting it is harder.

v2.23.0 | Report a Bug | By Email