IETF Logo Mail Archive

RE: Client certificates in HTTP/2

Mike Bishop <Michael.Bishop@microsoft.com> Tue, 09 June 2015 17:55 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1FBB1AC3D5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 10:55:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzinSfz6K6aG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 10:55:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD36A1B2DE3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 9 Jun 2015 10:55:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Z2Nh9-00023l-N0 for ietf-http-wg-dist@listhub.w3.org; Tue, 09 Jun 2015 17:52:15 +0000
Resent-Date: Tue, 09 Jun 2015 17:52:15 +0000
Resent-Message-Id: <E1Z2Nh9-00023l-N0@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1Z2Nh1-000230-LW for ietf-http-wg@listhub.w3.org; Tue, 09 Jun 2015 17:52:07 +0000
Received: from mail-bl2on0146.outbound.protection.outlook.com ([65.55.169.146] helo=na01-bl2-obe.outbound.protection.outlook.com) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1Z2Nh0-00063V-Eo for ietf-http-wg@w3.org; Tue, 09 Jun 2015 17:52:07 +0000
Received: from BL2PR03MB132.namprd03.prod.outlook.com (10.255.230.24) by BL2PR03MB132.namprd03.prod.outlook.com (10.255.230.24) with Microsoft SMTP Server (TLS) id 15.1.184.17; Tue, 9 Jun 2015 17:51:39 +0000
Received: from BL2PR03MB132.namprd03.prod.outlook.com ([169.254.9.131]) by BL2PR03MB132.namprd03.prod.outlook.com ([169.254.9.131]) with mapi id 15.01.0184.014; Tue, 9 Jun 2015 17:51:39 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Yoav Nir <ynir.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client certificates in HTTP/2
Thread-Index: AQHQooro5C5BMiM9y0mRQrw2laAAg52kcchA
Date: Tue, 09 Jun 2015 17:51:39 +0000
Message-ID: <BL2PR03MB132485444BC576E64920C2E87BE0@BL2PR03MB132.namprd03.prod.outlook.com>
References: <2EA3403F-E8D6-42E4-94BD-B7975D73B394@gmail.com>
In-Reply-To: <2EA3403F-E8D6-42E4-94BD-B7975D73B394@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ee31::2]
x-microsoft-exchange-diagnostics: 1; BL2PR03MB132; 3:K4w/sqqGbdcuB9stQym/zihU6gC4IDU166W0y3TXGVa1Cc6vf4tDn1X/cI+NocTy4fBDrOe+1YfbVMrvUSgD3v+EPEuQW9DaNJ2hrfKvrREXV9agi/x9NcmTaMQ35xofDeBB/YE9GTxZTuBdB3LAUg==; 10:/s9R7fRZeoRarnztkySdMCCD1W7fV0Qb/U7XDmgBpTJ/rdU3uN86r/ugB8NuWvJ2xmBAjlO6zoS4v1w8e1gaIXcJPJmLniHquj1iapzUg8U=; 6:GPbm6l/6ff9n8SzLnYLE1CMB72lSBbrpZOhiTRV26QLlS87O21eTtyLC1YhqcYNB
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB132;
x-microsoft-antispam-prvs: <BL2PR03MB132FA2737EEC10C0E34289187BE0@BL2PR03MB132.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(520003)(5005006)(3002001); SRVR:BL2PR03MB132; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB132;
x-forefront-prvs: 06022AA85F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(52044002)(122556002)(77156002)(62966003)(40100003)(5002640100001)(5001770100001)(2900100001)(74316001)(92566002)(2656002)(46102003)(87936001)(2950100001)(76576001)(86362001)(99286002)(189998001)(106116001)(5001960100002)(107886002)(15975445007)(54356999)(102836002)(76176999)(50986999)(19580405001)(33656002)(19580395003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB132; H:BL2PR03MB132.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2015 17:51:39.7818 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB132
Received-SPF: pass client-ip=65.55.169.146; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bl2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: AWL=-2.702, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: lisa.w3.org 1Z2Nh0-00063V-Eo 9e2ee22e2ba85973fbdfee3a8d472f78
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client certificates in HTTP/2
Archived-At: <http://www.w3.org/mid/BL2PR03MB132485444BC576E64920C2E87BE0@BL2PR03MB132.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29721
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

There have been a number of suggestions for this scenario, and none of them are entirely satisfying.

The TLS WG, last I heard, was discussing a way to present client certificates without full-blown renegotiation.  I'm not sure how the mechanics of that have progressed, if at all, but depending on the form, that might solve this discussion for TLS 1.3.  It doesn't help TLS 1.2, however, where HTTP/2 imposes a restriction on renegotiation.

Our implementation supports two different approaches:  A client which has a client cert ready to offer will send an extension setting TLS_RENEG_PERMITTED advertising that it's willing to accept a server-initiated renegotiation.  If the server also supports that extension, they can renegotiate as they have always done and exchange certs.  (Our client will only advertise that if it has the cert ready, to minimize the stall introduced to other streams by the reneg exchange.  Cert selection can involve showing UI, and we don't want to stall the network on the user.)  If the client doesn't offer that extension, we'll send HTTP_1_1_REQUIRED and drop the client back to HTTP/1.1, where we'll renegotiate to get the client cert.  Definitely not ideal, but it's the only fully-standardized approach that exists right now.

Martin's approach, along with the early-renegotiation dance in the HTTP/2 spec, still forces the creation of a new TLS connection, something we'd prefer to avoid.  It's better than HTTP_1_1_REQUIRED in that it lets the client keep using HTTP/2, but worse in that it mixes the TLS and HTTP layers, something we'd also prefer to minimize.

-----Original Message-----
From: Yoav Nir [mailto:ynir.ietf@gmail.com] 
Sent: Tuesday, June 9, 2015 12:58 AM
To: HTTP Working Group
Subject: Client certificates in HTTP/2

Hi

Long time ago there was a long discussion about using client certificates on the web with HTTP/2. Feel free to skip the next paragraph if you remember the issue.

Most of the web does not use client certificates. Websites that do don’t like users to get a certificate picker when they first land on the page. So what they do is protect the site with regular, server-authenticated TLS and have a landing page. On the landing page there’s going to be something clickable that says “login with certificates”. When the user clicks that, it sends a request for some resource (maybe “/loginWithCerts.html”). When the server gets that request, it triggers the TLS layer to re-negotiate, this time with the certificate request message that causes the certificate picker to pop up. This is the way it’s usually done in HTTP/1, but for HTTP/2, section 9.2.1 prohibits this use or renegotiation and hints at future specification that might provide this.

So a year ago Martin Thomson wrote a pair of draft for solving this: one an HTTP authentication scheme that just says, “go away and come back with a certificate”, while the other is a TLS extension that tells the server that the client would like to authenticate:
https://tools.ietf.org/html/draft-thomson-httpbis-catch-00
https://tools.ietf.org/html/draft-thomson-tls-care-00

Neither was adopted, here or at TLS, so currently HTTP/2 is not usable with mutual authentication. Why has this (useful IMO) extension withered on the vine rather than progressed?  If anyone needs help in pushing this along, I’ll be glad to help.

Yoav

v2.23.0 | Report a Bug | By Email