FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-02.txt

Mike Bishop <Michael.Bishop@microsoft.com> Tue, 01 November 2016 00:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9757129C11 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2016 17:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.498
X-Spam-Level:
X-Spam-Status: No, score=-8.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAOCBPCcVjSv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2016 17:05:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0BF0129C0D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 31 Oct 2016 17:05:45 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1c1MWM-0004Jl-Gv for ietf-http-wg-dist@listhub.w3.org; Tue, 01 Nov 2016 00:01:42 +0000
Resent-Date: Tue, 01 Nov 2016 00:01:42 +0000
Resent-Message-Id: <E1c1MWM-0004Jl-Gv@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1c1MWG-0004IA-2q for ietf-http-wg@listhub.w3.org; Tue, 01 Nov 2016 00:01:36 +0000
Received: from mail-by2nam03on0133.outbound.protection.outlook.com ([104.47.42.133] helo=NAM03-BY2-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from <Michael.Bishop@microsoft.com>) id 1c1MW9-0005it-QK for ietf-http-wg@w3.org; Tue, 01 Nov 2016 00:01:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YE4baX+c3e1j0Loy4tKFv7BUr5NLujzBwLNX6YZbZlY=; b=U0u236kLrqLU3qjAW9J/t3sxDmPCU6/RFvCYi5bZYdqFggvFDURMZRNgN0O2GSR4FgfVXN1UA9OlAx8gGIF1opnC9s6C7mIUEFc2CYF/Ns/JR4lPXwt8HFox0ciehYNMqHJkoZzIMA3gaeNEapkMTATEb3qiUy+AyWSZ1aJNZTw=
Received: from CY4PR03MB2710.namprd03.prod.outlook.com (10.173.43.141) by CY4PR03MB2710.namprd03.prod.outlook.com (10.173.43.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Tue, 1 Nov 2016 00:00:51 +0000
Received: from CY4PR03MB2710.namprd03.prod.outlook.com ([10.173.43.141]) by CY4PR03MB2710.namprd03.prod.outlook.com ([10.173.43.141]) with mapi id 15.01.0693.009; Tue, 1 Nov 2016 00:00:51 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Nick Sullivan <nicholas.sullivan@gmail.com>
Thread-Topic: New Version Notification for draft-bishop-httpbis-http2-additional-certs-02.txt
Thread-Index: AQHSM9Fbe7uvB6KgjECDixoo5g1oY6DDPB5Q
Date: Tue, 1 Nov 2016 00:00:50 +0000
Message-ID: <CY4PR03MB27108B2F91A5E516249B28A087A10@CY4PR03MB2710.namprd03.prod.outlook.com>
References: <147795773949.23277.11635318945662522216.idtracker@ietfa.amsl.com>
In-Reply-To: <147795773949.23277.11635318945662522216.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::390]
x-ms-office365-filtering-correlation-id: 05c24efa-a61a-440f-26ae-08d401ea2481
x-microsoft-exchange-diagnostics: 1; CY4PR03MB2710; 7:OCslHQs0XnOaMpXHU0gm77XcAeUzZVKxIgn3WNH88wwuWhIicTAKUflknzHECaAxfGWGzL8B1/7mzO2FY+jjC5qNdaBVypfhGUgX0KLbtVqKdhkJpmjdt7+2i199qwwy9na6I4br+3xJ724sZTOd00hFHKCI09kl1tZjBLGElEXnTs9zQ2IFCrQBLEJppwN4eRab5EZG7AEeQeYkHTQ443/eX6jx3eUjdKMDd0RVYJ+3zmeAktEA+98aaUg0/7t8dn8wIsr90cLumgcYaJ+cxX00pv0VfBtHtPuCMLB6/QyK8brVEVFn3iLUwx2o2SgYAFroSB5bylpw2sFw1py0VCpV/dWcl0QmlTGxxwd11F6TKvxq9rIZabCUuTTmyeEd
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY4PR03MB2710;
x-microsoft-antispam-prvs: <CY4PR03MB2710578A54B2B95845FAEAC687A10@CY4PR03MB2710.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(60795455431006)(158342451672863)(120809045254105);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6045074)(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6046074)(6072074); SRVR:CY4PR03MB2710; BCL:0; PCL:0; RULEID:; SRVR:CY4PR03MB2710;
x-forefront-prvs: 01136D2D90
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(13464003)(189002)(199003)(377454003)(2473002)(377424004)(2950100002)(19580405001)(2900100001)(19580395003)(4001150100001)(122556002)(86362001)(97736004)(77096005)(15975445007)(102836003)(586003)(68736007)(10400500002)(8936002)(6116002)(10090500001)(9686002)(2906002)(5005710100001)(76576001)(10290500002)(8990500004)(4326007)(92566002)(87936001)(11100500001)(101416001)(76176999)(5002640100001)(50986999)(33656002)(6916009)(54356999)(230783001)(99286002)(110136003)(5660300001)(7696004)(7736002)(81156014)(305945005)(7846002)(81166006)(86612001)(8676002)(106356001)(15650500001)(3280700002)(74316002)(189998001)(3660700001)(105586002)(106116001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR03MB2710; H:CY4PR03MB2710.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Nov 2016 00:00:50.9859 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR03MB2710
Received-SPF: pass client-ip=104.47.42.133; envelope-from=Michael.Bishop@microsoft.com; helo=NAM03-BY2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.388, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: titan.w3.org 1c1MW9-0005it-QK f231e0e101b4cccbd907e0426dbe0547
X-Original-To: ietf-http-wg@w3.org
Subject: FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-02.txt
Archived-At: <http://www.w3.org/mid/CY4PR03MB27108B2F91A5E516249B28A087A10@CY4PR03MB2710.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32772
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Kudos to Nick for pulling much of these mechanics into a TLS draft instead; this update (changes also by Nick) deletes the pieces that were delegated to TLS and replaces them with references his draft.

The issue of getting an exporter larger than the HTTP/2 frame size is likely back in this version, and something we'll need to iron out.  However, I like the general direction of keeping the crypto in TLS where at all possible.

-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
Sent: Monday, October 31, 2016 4:49 PM
To: Mike Bishop <Michael.Bishop@microsoft.com>om>; Martin Thomson <martin.thomson@gmail.com>
Subject: New Version Notification for draft-bishop-httpbis-http2-additional-certs-02.txt


A new version of I-D, draft-bishop-httpbis-http2-additional-certs-02.txt
has been successfully submitted by Mike Bishop and posted to the IETF repository.

Name:		draft-bishop-httpbis-http2-additional-certs
Revision:	02
Title:		Secondary Certificate Authentication in HTTP/2
Document date:	2016-10-31
Group:		Individual Submission
Pages:		21
URL:            https://www.ietf.org/internet-drafts/draft-bishop-httpbis-http2-additional-certs-02.txt
Status:         https://datatracker.ietf.org/doc/draft-bishop-httpbis-http2-additional-certs/
Htmlized:       https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs-02
Diff:           https://www.ietf.org/rfcdiff?url2=draft-bishop-httpbis-http2-additional-certs-02

Abstract:
   TLS provides fundamental mutual authentication services for HTTP,
   supporting up to one server certificate and up to one client
   certificate associated to the session to prove client and server
   identities as necessary.  This draft provides mechanisms for
   providing additional such certificates at the HTTP layer when these
   constraints are not sufficient.

   Many HTTP servers host content from several origins.  HTTP/2
   [RFC7540] permits clients to reuse an existing HTTP connection to a
   server provided that the secondary origin is also in the certificate
   provided during the TLS [I-D.ietf-tls-tls13] handshake.

   In many cases, servers will wish to maintain separate certificates
   for different origins but still desire the benefits of a shared HTTP
   connection.  Similarly, servers may require clients to present
   authentication, but have different requirements based on the content
   the client is attempting to access.

   This document describes a how TLS exported authenticators [I-D.draft-
   sullivan-tls-exported-authenticator] can be used to provide proof of
   ownership of additional certificates to the HTTP layer to support
   both scenarios.

                                                                                  


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat