IETF Logo Mail Archive

Re: Client-Cert Header draft

Brian Campbell <bcampbell@pingidentity.com> Mon, 20 April 2020 21:55 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87BC13A1119 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 14:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.849
X-Spam-Level:
X-Spam-Status: No, score=-0.849 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUYNn0ZKBNaV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 14:55:54 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202093A111E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Apr 2020 14:55:53 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQeLt-0005kC-F0 for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Apr 2020 21:53:17 +0000
Resent-Date: Mon, 20 Apr 2020 21:53:17 +0000
Resent-Message-Id: <E1jQeLt-0005kC-F0@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1jQeLs-0005jL-8i for ietf-http-wg@listhub.w3.org; Mon, 20 Apr 2020 21:53:16 +0000
Received: from mail-lj1-x22a.google.com ([2a00:1450:4864:20::22a]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <bcampbell@pingidentity.com>) id 1jQeLo-0007JY-VT for ietf-http-wg@w3.org; Mon, 20 Apr 2020 21:53:15 +0000
Received: by mail-lj1-x22a.google.com with SMTP id g4so3644135ljl.2 for <ietf-http-wg@w3.org>; Mon, 20 Apr 2020 14:53:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4ZPQrGyzGawK13V29zvcywY25/atXGgGCFaj187/6ao=; b=X/7VuOIABELxTrgBL89vFGpqw9Jo/Z3AAgkUDOUuB56GKIJqPtSY9bJJQY9/4Qg5n1 aRNUgYBvmIyKJxikVeXCfFYEniv1TIM44S+fpIWQSI5dAxi0beXa/JDaq2Zwhd02wWaQ yt9ZVPyq/dPnPqxqg2HionsKncRrbSjc0L4lTfOVhsK53fLIQdPrDKJsjBOCGKcolm/o UBuci6v+nxEK/OAGTCvNrG+2OJy1vFjyOU3u8jKzzgsbfSFdRcwYmVX6Mpv9Xcf4Q476 FEPiGKt8JHMhgwC9+ewNWXXzjwOHC+f1WNXmByRcqB6ja6BsUS/v4V9b2a1fdhoF3sMA SYoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4ZPQrGyzGawK13V29zvcywY25/atXGgGCFaj187/6ao=; b=QAV3Di6hEO8M65W/4czIh+h0RFmWSbdv/XKvvKCgYtmxFQOTplxaKFy5dflKCon8Xr Ie6UU+qP7l7+xPFmJ3aTubKdbj0sXkDyZpExy2lJIE80YXpesN4DTlpmPTeMV44UQDWI WaZQcO4xgS73nZzXPiUo8p6FnOTwuYM5IUiBPp2Hf/ME8iDcHuvkCGzdC99HlBkjTCYk MuRmFy9fHFwhludhDwaXxkM+gWBvTgRxYRoX59KuHXjNbCnJ4D7WTqwihyDZV1Ufgd9P XsayRGgkt6PXoz6VzN0KlHQyrSbY6Nn9JDQl49hDrqBuFj3tO45ELNtTou470yfVC10w XNiw==
X-Gm-Message-State: AGi0PuZpZ+Lv/QsOk9qRVN1y2MBnt2/JPaOpl8P0y8T3tc2syV9WU8nK 1CAXrAw79FsMn8HZ2W16OuEy1893bxxxThfHSZwwaZ9JDlnR9vnglPKtjd02gH8+EKaDv84PbMI 6X+uiu5mK1bQ6oNnpRz+GCPI=
X-Google-Smtp-Source: APiQypJpvoPktlkZB+YT3K3iP9hksa/XL4BTq2UmBuOB6AFuobpjO8CsdbKUBY70Om6RU8586gpLeRPE+nSjVc5WJzA=
X-Received: by 2002:a2e:9842:: with SMTP id e2mr5681955ljj.273.1587419581095; Mon, 20 Apr 2020 14:53:01 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <CH2PR22MB208612E57276557568F843E2DAD90@CH2PR22MB2086.namprd22.prod.outlook.com> <CABcZeBNTgB9PiTn8nnGyQcZOG6W19aaZnwJh09VEJcceS=8-7w@mail.gmail.com>
In-Reply-To: <CABcZeBNTgB9PiTn8nnGyQcZOG6W19aaZnwJh09VEJcceS=8-7w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 20 Apr 2020 15:52:34 -0600
Message-ID: <CA+k3eCQEkGUCPWZqTGwxdzP63bcXrzVTsCBPEkNeib_88WY+4w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Mike Bishop <mbishop@evequefou.be>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000003db7e705a3bfecce"
Received-SPF: pass client-ip=2a00:1450:4864:20::22a; envelope-from=bcampbell@pingidentity.com; helo=mail-lj1-x22a.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jQeLo-0007JY-VT cd27c038635f297fc661feb734a80dfa
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CA+k3eCQEkGUCPWZqTGwxdzP63bcXrzVTsCBPEkNeib_88WY+4w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37524
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Indeed, it is unsurprising to me.

But I do acknowledge the opinion expressed by Mike and +1'd by you and
Lucas.

While header sanitization can be deployed securely, there are ways to do it
wrong and admittedly things don't "fail safe" when that happens. It would
be nice to simply point to a more generic solution for something better,
but I think we've previously demonstrated that there is not enough energy
from parties interested in pursuing it. Lacking that something more
generic, I personally (still) think it would be rather
awkward/inappropriate to have this draft define a one-off solution. But
that is my opinion as an individual and it would clearly be a topic for
further discussion should this draft become a WG item.





On Fri, Apr 17, 2020 at 4:31 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Fri, Apr 17, 2020 at 12:23 PM Mike Bishop <mbishop@evequefou.be> wrote:
>
>> Despite the distaste for client certificates from some quarters, they are
>> still both used and useful.  I’m certainly interested in seeing this
>> progress.
>>
>>
>>
>> In today’s situation, the intermediary checks that the cert matches the
>> rules it has been given to authenticate clients, and only forwards the
>> requests from valid clients.  Arguably, the origin is offloading less trust
>> in this draft’s model – the intermediary is responsible for validating that
>> the client possesses the claimed certificate, but might leave the origin to
>> decide what scope of access the certificate actually grants.  That allows
>> finer-grained access control, but also allows greater ability to send
>> requests back to the origin.  It also opens the door for intermediaries
>> which don’t support this header to accidentally forward requests containing
>> it.  Requiring intermediaries to drop it doesn’t get you much, since only
>> those intermediaries aware of the spec will comply by dropping the header.
>> To help address these, I’d like to see this mix in something that the
>> intermediary holds and the client doesn’t, such as an exporter from its TLS
>> connection to the server.
>>
>
> I'm sure unsurprisingly to nobody, I second Mike's comments here.
>
> -Ekr
>
>
>>
>> But all that is refinement – the core concept here is beneficial, and I’d
>> like to see more engagement here.
>>
>>
>>
>> *From:* Brian Campbell <bcampbell@pingidentity.com>
>> *Sent:* Wednesday, April 15, 2020 5:01 PM
>> *To:* HTTP Working Group <ietf-http-wg@w3.org>
>> *Subject:* Client-Cert Header draft
>>
>>
>>
>> Hello HTTP Working Group,
>>
>>
>>
>> I've somewhat inadvertently found myself working on this draft
>> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/,
>> which aspires to define a "Client-Cert" HTTP header field that allows a TLS
>> terminating reverse proxy to convey information about the client
>> certificate of a mutually-authenticated TLS connection to an origin server
>> in a common and predictable manner.
>>
>>
>>
>> I presented the concept
>> <https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00>
>> at the recent virtual IETF 107 secdispatch meeting
>> <https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00>
>> and the outcome from that was basically that there seems to be some
>> interest in pursuing the work and the suggestion that the conversation be
>> taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the
>> work progresses). And that's what brings me here. I also hope to get a
>> little bit of time at one of the upcoming virtual interims to
>> present/discuss the draft.
>>
>>
>>
>> Thanks,
>>
>> Brian
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited..
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email