IETF Logo Mail Archive

RE: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

Mike Bishop <Michael.Bishop@microsoft.com> Wed, 27 January 2016 00:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6855C1A01BA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jan 2016 16:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFJfAvZGNDLJ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jan 2016 16:05:19 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0FB1A01A5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jan 2016 16:05:19 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aODXv-0005lC-7l for ietf-http-wg-dist@listhub.w3.org; Wed, 27 Jan 2016 00:01:15 +0000
Resent-Date: Wed, 27 Jan 2016 00:01:15 +0000
Resent-Message-Id: <E1aODXv-0005lC-7l@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1aODXo-0005kP-GR for ietf-http-wg@listhub.w3.org; Wed, 27 Jan 2016 00:01:08 +0000
Received: from mail-bl2on0144.outbound.protection.outlook.com ([65.55.169.144] helo=na01-bl2-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1aODXl-0007F5-Oy for ietf-http-wg@w3.org; Wed, 27 Jan 2016 00:01:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/dF0/nDjCTSKn83DFjsPGbB2SIgdB+AnAmQVdbl0mJQ=; b=cLnf22DVTw7Tg5x6U+AgTAzijSTaLuKpSvhVtpkLUvpc/tLpYonbqpTGrSEvkA09VjFoeCz7SaQAJdtH/95R6Fd1iOUWiPAHotwJ6MyNs1C88nboYHKnRom+vprWiSsp1tKmP7L/RAKbk/U8GMp0WiLGHJVMAGRloQdFmctkIcc=
Received: from CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) by CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) with Microsoft SMTP Server (TLS) id 15.1.390.13; Wed, 27 Jan 2016 00:00:36 +0000
Received: from CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) by CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) with mapi id 15.01.0390.013; Wed, 27 Jan 2016 00:00:36 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt
Thread-Index: AQHRVWOAcftGZF4T1UaJdSueCSI/S58OO4GAgAAdb4CAAAc/gIAAHimg
Date: Wed, 27 Jan 2016 00:00:36 +0000
Message-ID: <CY1PR03MB13742153C8F4DF64EEA67D8687D90@CY1PR03MB1374.namprd03.prod.outlook.com>
References: <20160122222315.28781.93913.idtracker@ietfa.amsl.com> <CY1PR03MB1374890E32B6F6CA2AB78D8D87D80@CY1PR03MB1374.namprd03.prod.outlook.com> <20160126213813.GA5528@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVXvdLr7fh=Dc2HswE=hAmq30k2aXMvdi7u18=jj2iv9w@mail.gmail.com>
In-Reply-To: <CABkgnnVXvdLr7fh=Dc2HswE=hAmq30k2aXMvdi7u18=jj2iv9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [131.107.160.40]
x-ms-office365-filtering-correlation-id: 4f2c0e9e-0add-424c-64b4-08d326ace284
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1374; 5:uhzZhtc+2wgX7K7ALqwncHH2f0/7XN9g/wTr8eiSxL4hvuOtrt5il6hQ4RoQvIGmELQermdwOWUhphM0ykzGiTIPu0IrV6m5D8b8I+PcbE2X5eP0Am5wgfESarg4W5qlnst8LzmxJh6tX4ekIteLBQ==; 24:J98PxpBi67bCcIr0EI/pCr4Gqjvf92K95pqpHDEsW6cnubkF+XaBeXaxR8pX2YW0ZuU92dUC7kp/EbDlnUCR7W/JfpQXCOkBmdzHT2oe4vc=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1374; UriScan:;
x-o365eop-header: O365_EOP: Allow for Unauthenticated Relay
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <CY1PR03MB1374CB20C799C5BD787B178A87D90@CY1PR03MB1374.namprd03.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:CY1PR03MB1374; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1374;
x-forefront-prvs: 0834BAF534
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51914003)(24454002)(377454003)(189002)(199003)(13464003)(54356999)(5001960100002)(74316001)(3846002)(2950100001)(1220700001)(76576001)(2900100001)(1096002)(10090500001)(77096005)(50986999)(101416001)(11100500001)(106116001)(105586002)(5003600100002)(586003)(5002640100001)(76176999)(102836003)(106356001)(5008740100001)(189998001)(99286002)(19580395003)(33656002)(6116002)(5005710100001)(87936001)(2906002)(122556002)(10290500002)(19580405001)(4326007)(10400500002)(8990500004)(66066001)(5004730100002)(3280700002)(230783001)(86612001)(81156007)(5001770100001)(97736004)(40100003)(92566002)(86362001)(93886004)(3470700001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1374; H:CY1PR03MB1374.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jan 2016 00:00:36.4211 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1374
Received-SPF: pass client-ip=65.55.169.144; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bl2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: AWL=-2.567, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: maggie.w3.org 1aODXl-0007F5-Oy e792cb88b47f206d359c98dc983b39c2
X-Original-To: ietf-http-wg@w3.org
Subject: RE: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt
Archived-At: <http://www.w3.org/mid/CY1PR03MB13742153C8F4DF64EEA67D8687D90@CY1PR03MB1374.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31002
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I believe the other comment is also around AUTOMATIC_USE, since both occurrences of "future streams" are in that context.  Basically, it means any future stream on which the server would have made the same request, the server can just use the provided cert and not burn an RTT asking.

Yes, the client loses visibility into whether the cert has been used, and loses the ability to *not* use the cert if it chooses.  That's a trade-off the client can make -- if it wants to retain those capabilities (at the expense of 1 RTT per request), it just doesn't set AUTOMATIC_USE.

The client makes the call -- and as Martin points out, it's state-changing for the connection.  Once you AUTOMATIC_USE a certificate, the server MAY apply it to any future request you make on the connection.  If you change your mind later, new connection (and presumably GOAWAY the old one).

As to requiring EMS, reducing exporter, and appropriate HashAndSignature algorithms, I'll defer to those with more expertise in TLS-land.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Tuesday, January 26, 2016 2:04 PM
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>; HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

Thanks for the prompt feedback Ilari,

On 27 January 2016 at 08:38, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> - Needs to require EMS or TLS 1.3. Any use of TLS-EXPORTER for auth on
>   connections vulernable to THS is no-no.

Yes, absolutely.

> - What does "future streams associated with this request" mean exactly.
>   Covering a stream client did not intend to is no-no.

Context?

> - How does client revoke AUTOMATIC_USE on some certificate (or all
>   certificates) in sequentially consistent way? For the same reasons
>   as previous.

GOAWAY & close.  Note that you might be better off asking for the removal of AUTOMATIC_USE if this is a concern you have.  Also note that you are asking for a level of control that the server doesn't get.

> - Why 1024 byte exporter output? That seems excessively large. 64
>   bytes is already 512 bits, which is high even if actual security
>   is cut in half somehow.

Hmm, yes, 64 bytes is plenty.

> - There are all sorts of crappy TLS HashAndSignatureAlgorithm values
>   that need forbidding, like DSA or ones using MD5 or SHA1.

Good point.  We should limit this to DSA with SHA1.

v2.23.0 | Report a Bug | By Email