Re: Client-Cert Header draft
Roberto Polli <robipolli@gmail.com> Tue, 21 April 2020 16:44 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5DF03A0E00 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 21 Apr 2020 09:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1Fwg61JAAdj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 21 Apr 2020 09:44:08 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 693AD3A0E35 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 21 Apr 2020 09:34:19 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQvnt-0005ta-VV for ietf-http-wg-dist@listhub.w3.org; Tue, 21 Apr 2020 16:31:22 +0000
Resent-Date: Tue, 21 Apr 2020 16:31:21 +0000
Resent-Message-Id: <E1jQvnt-0005ta-VV@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1jQvnt-0005sx-4H for ietf-http-wg@listhub.w3.org; Tue, 21 Apr 2020 16:31:21 +0000
Received: from mail-il1-x12e.google.com ([2607:f8b0:4864:20::12e]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1jQvnr-0001iA-Gw for ietf-http-wg@w3.org; Tue, 21 Apr 2020 16:31:20 +0000
Received: by mail-il1-x12e.google.com with SMTP id x2so12643156ilp.13 for <ietf-http-wg@w3.org>; Tue, 21 Apr 2020 09:31:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OQg7Ev33nR5m48rsZNU5DmVOUqKbRYdnVfPMe229JPg=; b=gVRN66df5RuK9uHOxuEsCotXhPZEBtVTzaJfGjNl4Jekeny2EoXuBRRBq9xYeZxvMa A3N6pa/xSm2YH87Po7wBxAQ6+XYFD4jWVpOBU6kyDhDXRNGhDBZhxG9PQ5vX+I88pgvU wV2V/aIr2VdOaVOHIrWbJZqN7R9gwz554iqDA8BhYzOlpKsg4ozB8Vn6/vElhOZV0vxz ETztr+f+xlzdalY/67vAtq+HQDi7+rFhN169LmOKIICqaV2VXRN79bQybRARcDJWsojj UpNo4U1AzsECN9q6L1hVmLjiSPnaCphC/UEOFrP/I20BoGUtMyljrG1p5Y4BsdZBrFCE 05rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OQg7Ev33nR5m48rsZNU5DmVOUqKbRYdnVfPMe229JPg=; b=FLzom921wO13L9utxjaqxGB7+5fUx6SguqXuUpayjLB2Ys4CXNf2eiB8D7kZUntyDj mHXeO4quJ6GyAUAel1IBV+OlpTJNnXUiKuO8sRe6AxEN9zG7/S8AsUMVp9pyCkUUUE7n l0vAraYnbNaogJAJya1oRk4zPiuZPEXttbtZ79Aj3c1I7i5O3GtCtKFtUp2U8Htf/cIU 1KAIZgufIKWusDQTS3+xy2rpbNE8cmzdEO2efwO3vS/QVQ9a+iZbVr3SW8R8iCzvBRUr C8/1E/cvWx9vR078d4uigCWEhB1Y4HrNNq4HxkbG1PW8fE/Kr1vFOTwLr8/LJ4idZe0I GEFg==
X-Gm-Message-State: AGi0Pubot2ey9qT6QP8r3Ck7crg9CLzZLbAu1tBplVYlNVw+x7kM91+a oQBbnKeahk3OMJsnESPHaeknN4DR/HuMde4fyks=
X-Google-Smtp-Source: APiQypJMdM9nhiVJ5fKuCvq57TXwarXd5/vFljiiIHFDEJhLdqYMEEyDHRTSMA9zRboybooOU45fDEOJFCOf3+/lkb4=
X-Received: by 2002:a92:2c0d:: with SMTP id t13mr20360258ile.127.1587486668356; Tue, 21 Apr 2020 09:31:08 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com>
In-Reply-To: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Tue, 21 Apr 2020 18:30:57 +0200
Message-ID: <CAP9qbHXtHGYn2r0bpx0OvgUa1i6=g5pjxx2RAmoV=NhoUwhQRw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::12e; envelope-from=robipolli@gmail.com; helo=mail-il1-x12e.google.com
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jQvnr-0001iA-Gw 9224541d9891d959d5c1d7ae2755c170
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CAP9qbHXtHGYn2r0bpx0OvgUa1i6=g5pjxx2RAmoV=NhoUwhQRw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37533
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Brian, I think the work is interesting and useful, though it has complexities. TL;DR: I'd only standardize the header semantic and file a detailed Security Considerations section with different sections addressing the different issues. More follows: 1- standardizing the header name is good; 2- it is correct to investigate the impacts of this header when the network topology is not trivial ( I see use cases for TTRP + re-encryption). I suggest providing subsections in the Security Considerations; 3- the only reason for trusting that header is an actual agreement between the owners of the services: I am not sure we should detail things like `Use of the technique is to be a configuration or deployment` but please provide your thoughts; 4- I am not sure that adding processing rules in the spec can provide more guarantees to the backend server, as it's completely "delegating the authentication" to the upstream server and cannot verify the received information. My2c, R. Il giorno gio 16 apr 2020 alle ore 10:05 Brian Campbell <bcampbell@pingidentity.com> ha scritto: > > Hello HTTP Working Group, > > I've somewhat inadvertently found myself working on this draft https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/, which aspires to define a "Client-Cert" HTTP header field that allows a TLS terminating reverse proxy to convey information about the client certificate of a mutually-authenticated TLS connection to an origin server in a common and predictable manner. > > I presented the concept at the recent virtual IETF 107 secdispatch meeting and the outcome from that was basically that there seems to be some interest in pursuing the work and the suggestion that the conversation be taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the work progresses). And that's what brings me here. I also hope to get a little bit of time at one of the upcoming virtual interims to present/discuss the draft. > > Thanks, > Brian > > > > > > > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
- Client-Cert Header draft Brian Campbell
- RE: Client-Cert Header draft Mike Bishop
- Re: Client-Cert Header draft Lucas Pardue
- Re: Client-Cert Header draft Justin Richer
- Re: Client-Cert Header draft David Benjamin
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Eric Rescorla
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Lucas Pardue
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Lucas Pardue
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Roberto Polli
- Re: Client-Cert Header draft David Benjamin
- Re: Client-Cert Header draft Graham Leggett
- Re: Client-Cert Header draft James
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Graham Leggett
- Re: Client-Cert Header draft Kazuho Oku
- Re: Client-Cert Header draft Brian Campbell