Re: Client-Cert Header draft

Roberto Polli <> Tue, 21 April 2020 16:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5DF03A0E00 for <>; Tue, 21 Apr 2020 09:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e1Fwg61JAAdj for <>; Tue, 21 Apr 2020 09:44:08 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 693AD3A0E35 for <>; Tue, 21 Apr 2020 09:34:19 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jQvnt-0005ta-VV for; Tue, 21 Apr 2020 16:31:22 +0000
Resent-Date: Tue, 21 Apr 2020 16:31:21 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jQvnt-0005sx-4H for; Tue, 21 Apr 2020 16:31:21 +0000
Received: from ([2607:f8b0:4864:20::12e]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jQvnr-0001iA-Gw for; Tue, 21 Apr 2020 16:31:20 +0000
Received: by with SMTP id x2so12643156ilp.13 for <>; Tue, 21 Apr 2020 09:31:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OQg7Ev33nR5m48rsZNU5DmVOUqKbRYdnVfPMe229JPg=; b=gVRN66df5RuK9uHOxuEsCotXhPZEBtVTzaJfGjNl4Jekeny2EoXuBRRBq9xYeZxvMa A3N6pa/xSm2YH87Po7wBxAQ6+XYFD4jWVpOBU6kyDhDXRNGhDBZhxG9PQ5vX+I88pgvU wV2V/aIr2VdOaVOHIrWbJZqN7R9gwz554iqDA8BhYzOlpKsg4ozB8Vn6/vElhOZV0vxz ETztr+f+xlzdalY/67vAtq+HQDi7+rFhN169LmOKIICqaV2VXRN79bQybRARcDJWsojj UpNo4U1AzsECN9q6L1hVmLjiSPnaCphC/UEOFrP/I20BoGUtMyljrG1p5Y4BsdZBrFCE 05rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OQg7Ev33nR5m48rsZNU5DmVOUqKbRYdnVfPMe229JPg=; b=FLzom921wO13L9utxjaqxGB7+5fUx6SguqXuUpayjLB2Ys4CXNf2eiB8D7kZUntyDj mHXeO4quJ6GyAUAel1IBV+OlpTJNnXUiKuO8sRe6AxEN9zG7/S8AsUMVp9pyCkUUUE7n l0vAraYnbNaogJAJya1oRk4zPiuZPEXttbtZ79Aj3c1I7i5O3GtCtKFtUp2U8Htf/cIU 1KAIZgufIKWusDQTS3+xy2rpbNE8cmzdEO2efwO3vS/QVQ9a+iZbVr3SW8R8iCzvBRUr C8/1E/cvWx9vR078d4uigCWEhB1Y4HrNNq4HxkbG1PW8fE/Kr1vFOTwLr8/LJ4idZe0I GEFg==
X-Gm-Message-State: AGi0Pubot2ey9qT6QP8r3Ck7crg9CLzZLbAu1tBplVYlNVw+x7kM91+a oQBbnKeahk3OMJsnESPHaeknN4DR/HuMde4fyks=
X-Google-Smtp-Source: APiQypJMdM9nhiVJ5fKuCvq57TXwarXd5/vFljiiIHFDEJhLdqYMEEyDHRTSMA9zRboybooOU45fDEOJFCOf3+/lkb4=
X-Received: by 2002:a92:2c0d:: with SMTP id t13mr20360258ile.127.1587486668356; Tue, 21 Apr 2020 09:31:08 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Roberto Polli <>
Date: Tue, 21 Apr 2020 18:30:57 +0200
Message-ID: <>
To: Brian Campbell <>
Cc: HTTP Working Group <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::12e;;
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jQvnr-0001iA-Gw 9224541d9891d959d5c1d7ae2755c170
Subject: Re: Client-Cert Header draft
Archived-At: <>
X-Mailing-List: <> archive/latest/37533
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hi Brian,

I think the work is interesting and useful, though it has complexities.

TL;DR: I'd only standardize the header semantic and file a detailed
Security Considerations
section with different sections addressing the different issues.

More follows:

1- standardizing the header name is good;
2- it is correct to investigate the impacts of this header when the
network topology is not trivial
    ( I see use cases for TTRP + re-encryption). I suggest providing subsections
    in the Security Considerations;
3- the only reason for trusting that header is an actual agreement
between the owners
    of the services: I am not sure we should detail things like `Use
of the technique is to be a configuration or deployment`
    but please provide your thoughts;
4- I am not sure that adding processing rules in the spec can provide more
    guarantees to the backend server,  as it's completely "delegating
the authentication"
    to the upstream server and cannot verify the received information.


Il giorno gio 16 apr 2020 alle ore 10:05 Brian Campbell
<> ha scritto:
> Hello HTTP Working Group,
> I've somewhat inadvertently found myself working on this draft, which aspires to define a "Client-Cert" HTTP header field that allows a TLS terminating reverse proxy to convey information about the client certificate of a mutually-authenticated TLS connection to an origin server in a common and predictable manner.
> I presented the concept at the recent virtual IETF 107 secdispatch meeting and the outcome from that was basically that there seems to be some interest in pursuing the work and the suggestion that the conversation be taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the work progresses). And that's what brings me here. I also hope to get a little bit of time at one of the upcoming virtual interims to present/discuss the draft.
> Thanks,
> Brian
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.