Re: Client-Cert Header draft
"Soni L." <fakedme+http@gmail.com> Fri, 17 April 2020 21:24 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADB0C3A07BC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 17 Apr 2020 14:24:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xkMlTTJcqvBR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 17 Apr 2020 14:24:46 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29C183A07A7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 17 Apr 2020 14:24:42 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jPYTG-0007Ah-UU for ietf-http-wg-dist@listhub.w3.org; Fri, 17 Apr 2020 21:24:22 +0000
Resent-Date: Fri, 17 Apr 2020 21:24:22 +0000
Resent-Message-Id: <E1jPYTG-0007Ah-UU@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1jPYTF-00079v-S0 for ietf-http-wg@listhub.w3.org; Fri, 17 Apr 2020 21:24:21 +0000
Received: from mail-vs1-xe36.google.com ([2607:f8b0:4864:20::e36]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1jPYTC-0007LY-AI for ietf-http-wg@w3.org; Fri, 17 Apr 2020 21:24:21 +0000
Received: by mail-vs1-xe36.google.com with SMTP id y185so2091121vsy.8 for <ietf-http-wg@w3.org>; Fri, 17 Apr 2020 14:24:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=ioANA2XyWvzKBhKNw9PR50/vBVJyWS5yXn5jXYMr43U=; b=XchtuWEsFIVmc0jtqoCwm6BLFu0RscMYQ5Us41CSr1Umi6qwxW440eRaaX8010EbY1 FkUeEUdtyO/ISbhXS5mHuBVyPI+vcHe8cgBHa7RUjRhVX5SfsU3aajEZ5GPkdRGFF20+ lvkrcSt67tf9dXsHsAGYlk5tjM7+Bk3UIHgEYs/eqVuEKpTHbkIaGHzFckdNCFUz1wO9 CtcN94rjgkfHUSrc0XbcHN0N1D74IY0kyf4RL8bLSYyLobZ4vF2AWi4tyFGrxeVbap45 oLHRUlYKNijwcNS/XM5MMwRcsIjeS6q4tylrqFXveIKxRlkwJW0i/sw67OQ1EATAwAx4 r0mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language; bh=ioANA2XyWvzKBhKNw9PR50/vBVJyWS5yXn5jXYMr43U=; b=bl/wUi9XjDSRR3ZPqogZbbqpbkfljbs5gRXjOlmbccugBwAPzbqXeyybf/ILw1n3Se jY8y2PmLCd/8+Lnk586ECjbwAlQ4qOBVth1/04rdyiWR5tv8uBDVtRxaEGJUOqJXJD7m HUlp5Kkjw35tHI/hjlwjWqD2Dgk4JnCHpFnhaM1Z40aQhnMHiWukH22x3BC0X1Hz3+X4 eATwXrSK9CJhIm46h+hdKDTyZ6NEBXZtAkZs4MkRhaYxbUhR0gHYdaFevHuknAbGzNXK gn3QjPz9YeDCoWXhbE/3FggGONQTVmu789nBrG1GOkeE8mrlvjvn1ui6MskdzeUoUZvc auAw==
X-Gm-Message-State: AGi0PuY2NmHdWMLStA8TO5LEONto2+9QP7SkMNq/PFsrERO5DHYcoIbz E0P+6PFowCrW3z5a/Ee0DItbciaT
X-Google-Smtp-Source: APiQypKmavhjb20UfZAceS4oiEGKEFFWHvECjsmXbIFgFOW0kalEXkWKTc0QDqzGIQVEFBJ4D8pJpw==
X-Received: by 2002:a67:2786:: with SMTP id n128mr4312429vsn.21.1587158646639; Fri, 17 Apr 2020 14:24:06 -0700 (PDT)
Received: from ?IPv6:2804:431:d77d:631e:2e0:4bff:fe37:ec7? ([2804:431:d77d:631e:2e0:4bff:fe37:ec7]) by smtp.googlemail.com with ESMTPSA id u138sm7332879vke.36.2020.04.17.14.24.05 for <ietf-http-wg@w3.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Apr 2020 14:24:05 -0700 (PDT)
Sender: "Soni L." <fakedme@gmail.com>
To: ietf-http-wg@w3.org
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu>
From: "Soni L." <fakedme+http@gmail.com>
Message-ID: <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com>
Date: Fri, 17 Apr 2020 18:24:03 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu>
Content-Type: multipart/alternative; boundary="------------4DA66D35C693C1870CFCD5C9"
Content-Language: en-US
Received-SPF: pass client-ip=2607:f8b0:4864:20::e36; envelope-from=fakedme+http@gmail.com; helo=mail-vs1-xe36.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jPYTC-0007LY-AI f03bf39f994b329ea8a97fa52b82ea88
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37517
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
if I may, I'd like to suggest a websocket-like mechanism that's initiated by TLS terminators. if the TLS terminator thinks a request needs to reach the server, it can let the client request directly from the server that way, including client certs and whatnot. if done right, this would also allow protection of other sensitive user data (e.g. direct messages) from the TLS terminator. On 2020-04-17 5:58 p.m., Justin Richer wrote: > +1 for seeing this adopted and progressing within this group. This is > a simple thing that different developers have had to solve for decades > and each has solved it in trivially different ways. I would love to > see one commonly-accepted way to do this. > > TLS terminators aren’t going away any time soon, so I think we should > make them at least a bit more manageable. > > — Justin > >> On Apr 15, 2020, at 5:01 PM, Brian Campbell >> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >> >> Hello HTTP Working Group, >> >> I've somewhat inadvertently found myself working on this draft >> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/, >> which aspires to define a "Client-Cert" HTTP header field that allows >> a TLS terminating reverse proxy to convey information about the >> client certificate of a mutually-authenticated TLS connection to an >> origin server in a common and predictable manner. >> >> I presented the concept >> <https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00> >> at the recent virtual IETF 107 secdispatch meeting >> <https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00> >> and the outcome from that was basically that there seems to be some >> interest in pursuing the work and the suggestion that the >> conversation be taken to the HTTPbis WG (and also keep TLS WG >> involved - presumably if the work progresses). And that's what brings >> me here. I also hope to get a little bit of time at one of the >> upcoming virtual interims to present/discuss the draft. >> >> Thanks, >> Brian >> >> >> >> >> >> >> >> >> >> >> >> /CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). >> Any review, use, distribution or disclosure by others is strictly >> prohibited.. If you have received this communication in error, >> please notify the sender immediately by e-mail and delete the message >> and any file attachments from your computer. Thank you./ >
- Client-Cert Header draft Brian Campbell
- RE: Client-Cert Header draft Mike Bishop
- Re: Client-Cert Header draft Lucas Pardue
- Re: Client-Cert Header draft Justin Richer
- Re: Client-Cert Header draft David Benjamin
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Eric Rescorla
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Lucas Pardue
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Lucas Pardue
- Re: Client-Cert Header draft Soni L.
- Re: Client-Cert Header draft Roberto Polli
- Re: Client-Cert Header draft David Benjamin
- Re: Client-Cert Header draft Graham Leggett
- Re: Client-Cert Header draft James
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Brian Campbell
- Re: Client-Cert Header draft Graham Leggett
- Re: Client-Cert Header draft Kazuho Oku
- Re: Client-Cert Header draft Brian Campbell