IETF Logo Mail Archive

RE: Client-Cert Header draft

Mike Bishop <mbishop@evequefou.be> Fri, 17 April 2020 19:23 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F9283A1106 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 17 Apr 2020 12:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWZYAOh1dto5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 17 Apr 2020 12:23:12 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCC123A1103 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 17 Apr 2020 12:23:11 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jPWXQ-0002ut-Kn for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Apr 2020 19:20:32 +0000
Resent-Date: Fri, 17 Apr 2020 19:20:32 +0000
Resent-Message-Id: <E1jPWXQ-0002ut-Kn@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mbishop@evequefou.be>) id 1jPWXO-0002u8-Ox for ietf-http-wg@listhub.w3.org; Fri, 17 Apr 2020 19:20:30 +0000
Received: from mail-bn7nam10on2110.outbound.protection.outlook.com ([40.107.92.110] helo=NAM10-BN7-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mbishop@evequefou.be>) id 1jPWXL-0001c1-0Z for ietf-http-wg@w3.org; Fri, 17 Apr 2020 19:20:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wr/WFWYRKZh1qpaCigOb9k5A45C0REb13S39EqNpUsMZVPLv3GenmXqKDJg4q8vBEy2EfYEYpgGVZ5PknFq5zT0EAOCnM/o7nzY0tbD3x4yFQKZIScokdyBzn+nUwS0ciF/tg7UxSkNB3TVImwaSdXq9G6KbxAd1FoTG7QzzR1UWMjz1Muumj/Z0UelA8IycUrPH19hpVmNMvkBMzuCsHXG/i5ZL0Q1LSqTrFJ5agValHHWHzFZFGXPjAZmoiqUJTARY0Syfv2kzI5qYk9NdGqJmSUhx9hBB+GseekEf9jzppH3Ds0mDgDuz+NSfBhnIUUuKcu01B7wKQz/en8cnUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yzWF0eEUvuCrbVX/7Hmn3dQKakz6/FbcCkDOjdNhtxs=; b=COe94kxnzSSl2UUQ9Gd8kxSS1Q/XqFEATIZsfz1a9n/QgevE56LdarlaRRtBER7Eo6yQmjY3Y2P4PJNjKMqmftRFkzW2iXu9QtC9oJNzgHAKDojufW24NEvXPvRsAWT22t1l4sDa2FRSVA+QuUQoNkfR4NfPVd63HqOpgtUKmEbXUxmoZ8XBZJed/lW12mLBKDyklPWP2XCYap+fqReGFiJBGPV2XiAMnQGnrdTs2C4NZIYm/rumJU8YIBGjX7bX+fpC+V3U7x74a4GONstIbP1iKngv2zYpexwmftSzdYmx2jcIOiLOCkP+XVnpMVJ6Yb5JJz144xXRSR4I7s5Y5Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yzWF0eEUvuCrbVX/7Hmn3dQKakz6/FbcCkDOjdNhtxs=; b=bU+41jkAJGgPEqhPpngSANTaZhmOUYxvrl5gNSK5fvbqLciTrCzAvHsWrsX0vFjCIJjk7TlOs/peko/HKXmBXxCOMqKdrmMKHC61hyNp6eKeAyS1BIvLOdsJw8nN1HQMNgRFrvMTzKqhlUJuo8PkZfcXH1ZIgDQ1VKauDQeZ0KM=
Received: from CH2PR22MB2086.namprd22.prod.outlook.com (2603:10b6:610:8c::8) by CH2PR22MB2039.namprd22.prod.outlook.com (2603:10b6:610:5e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.27; Fri, 17 Apr 2020 19:20:12 +0000
Received: from CH2PR22MB2086.namprd22.prod.outlook.com ([fe80::5d05:3b25:6510:2a3d]) by CH2PR22MB2086.namprd22.prod.outlook.com ([fe80::5d05:3b25:6510:2a3d%4]) with mapi id 15.20.2921.027; Fri, 17 Apr 2020 19:20:12 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Brian Campbell <bcampbell@pingidentity.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client-Cert Header draft
Thread-Index: AQHWE8WtzcpiF9Q4AU+gl8Dap6om26h9r7KQ
Date: Fri, 17 Apr 2020 19:20:12 +0000
Message-ID: <CH2PR22MB208612E57276557568F843E2DAD90@CH2PR22MB2086.namprd22.prod.outlook.com>
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com>
In-Reply-To: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2600:2b00:930c:7701:a135:e97e:ff86:ed0c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3acb6b95-554b-4523-2927-08d7e30459df
x-ms-traffictypediagnostic: CH2PR22MB2039:
x-microsoft-antispam-prvs: <CH2PR22MB203962BC69473CC4980940A6DAD90@CH2PR22MB2039.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0376ECF4DD
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR22MB2086.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(346002)(366004)(966005)(508600001)(86362001)(5660300002)(33656002)(110136005)(2906002)(81156014)(8676002)(186003)(6506007)(53546011)(7696005)(66946007)(8936002)(71200400001)(66556008)(3480700007)(9686003)(52536014)(66476007)(76116006)(64756008)(55016002)(66446008);DIR:OUT;SFP:1102;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WBaO0QpMMUoMcUKm3H1mO3DU5KNmv5czvNoABdbtTvjkdUD/j26hh1gNEwG3yNI+PXMjlSfKdOBNlDHTCypYhHCQyRxxWUSBInTPnrw8EO5sCbpSpqh3KX3nQQ76UDwSa0sZ7+o19v22KI1wmdVDGgRcucSj5nCXhzSTgQrWxCUndHTrmYCQSkrkelfoACwAlYdQjXXhx+ddRuVyjrANGmYDoMmSkEapSK6TqdK+nwH6D18BEUtjPgn8B9YBsg2HuQ+Qc1lEvLs2pEH7zrqR7m/DgEgeTf1Kakwjy+eeXlYtM2r5y2LYNDuuNov56vlLwpu6SPA9ibetkf4FuuWzBvFQ4hDhMjEYDADyFHO3gS7rTEc4kjyv+M0E8fBcDy4wz0y063YJrH9gRiZczgN00ocAFqVN6/qbYQvy5TuAsxswCyjBcRQQ0S4s4RQeCqcHD7QbwQQYafyuHDLrxKO60plldKfnGwB3ytmbmPRRUCcFz2ET3TT/y1lJLfSrrh40xBlq64y3nngc2fsevZb/LQ==
x-ms-exchange-antispam-messagedata: bG5mC0YkxEn2pOsSf9Nl6D7igd8NxVBSAtgUcUQy20PTt4jzcHH4zieFLbqU1jGIgDh8IfH0UUGG5T6u/5Pje0PXup217magKZ7MywQHnv2NKVHQ2z1khM9d4P8mVdosd4slLWBMeCpnSYxjLkdBNOBAbPEC2QusCm2D5IImzhpcOcA71zDYaiBkH80nlGsl48pyI3EaeZD2xAc7c+bhQd6/r9yIf4MRrrIKwnoKFN/lWIp0htuwdvehf2/hg9EIBYDqXjjQAyZk9dy019wHIxM66Yhv7NBidQx1ncCx6aw+D0vc45N/MRlbzkfdQO5o4xwmikwJKIAkVvMaU4Na89evWn5Tj9Hw4TJHPl/RTMP/QEM1b8CV9vZLj0XGB0q2vfK8jMuAKa/a67kSy/NWA936FLmoqn/pMd8cD9fd3rBj0RouhqgekEKK8DqgGWplpVrx/c1h8nxBWh78jR29GT+rDnXOTcWbgXdhPCHK2OcpXcIkIUTl/OBnmxJorK3hKVgA8xFOV3rw0dCbih1M23Lcr82eg5yYZ/E/lgnypdRBHT+zLTE4zNoqYHzo2rb6jlkZtqMgTjO9PH4h6KlvHZ3WQqPIgl3p40clvvGdgC+ymEwAWT/6HpXN3pbRG3DYoRD4ottyIwe9YPYrgYE/80sfjQOFmuec52PjlQK3mWvhdODaYujrKhfSuJUts6QsuFmj83uAoVoEgO19UOU6EWZCM8msNm+8fy0lmQKEjILxeS3lZMKYImLSefFnIiZFXX+sDD5BUTfDG2xdp2ODw4rb/iBqRz95pdxGIYn76rayPq7ljGM5oLS0wE0W8U8PfvBvbIlWZdSvAzsgYPqIvUhJ8eaw8lBYgvmJlpE0AP01oWAXpukE1Tm9jiubYxhQ
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR22MB208612E57276557568F843E2DAD90CH2PR22MB2086namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 3acb6b95-554b-4523-2927-08d7e30459df
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Apr 2020 19:20:12.2012 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OsZslZsAioBpNafUxw28D2vlnI+sWU0q4k5wmNkEvb6CRXU9Mg0P1jHI7t26l0evY7blj1RZZA+WHItbNykDLw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR22MB2039
Received-SPF: pass client-ip=40.107.92.110; envelope-from=mbishop@evequefou.be; helo=NAM10-BN7-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jPWXL-0001c1-0Z 66b46b8736daf103ee779d40a3277db2
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CH2PR22MB208612E57276557568F843E2DAD90@CH2PR22MB2086.namprd22.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37513
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Despite the distaste for client certificates from some quarters, they are still both used and useful.  I’m certainly interested in seeing this progress.

In today’s situation, the intermediary checks that the cert matches the rules it has been given to authenticate clients, and only forwards the requests from valid clients.  Arguably, the origin is offloading less trust in this draft’s model – the intermediary is responsible for validating that the client possesses the claimed certificate, but might leave the origin to decide what scope of access the certificate actually grants.  That allows finer-grained access control, but also allows greater ability to send requests back to the origin.  It also opens the door for intermediaries which don’t support this header to accidentally forward requests containing it.  Requiring intermediaries to drop it doesn’t get you much, since only those intermediaries aware of the spec will comply by dropping the header.  To help address these, I’d like to see this mix in something that the intermediary holds and the client doesn’t, such as an exporter from its TLS connection to the server.

But all that is refinement – the core concept here is beneficial, and I’d like to see more engagement here.

From: Brian Campbell <bcampbell@pingidentity.com>
Sent: Wednesday, April 15, 2020 5:01 PM
To: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Client-Cert Header draft

Hello HTTP Working Group,

I've somewhat inadvertently found myself working on this draft https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/, which aspires to define a "Client-Cert" HTTP header field that allows a TLS terminating reverse proxy to convey information about the client certificate of a mutually-authenticated TLS connection to an origin server in a common and predictable manner.

I presented the concept<https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00> at the recent virtual IETF 107 secdispatch meeting<https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00> and the outcome from that was basically that there seems to be some interest in pursuing the work and the suggestion that the conversation be taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the work progresses). And that's what brings me here. I also hope to get a little bit of time at one of the upcoming virtual interims to present/discuss the draft.

Thanks,
Brian











CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email