Re: Client Certificates - re-opening discussion
Kyle Rose <krose@krose.org> Mon, 21 September 2015 14:32 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64CE1B3236 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 07:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.39
X-Spam-Level:
X-Spam-Status: No, score=-6.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHp9qtzWuQQp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 07:32:13 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF2D01B3239 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 Sep 2015 07:32:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ze25K-0002Do-2p for ietf-http-wg-dist@listhub.w3.org; Mon, 21 Sep 2015 14:28:50 +0000
Resent-Date: Mon, 21 Sep 2015 14:28:50 +0000
Resent-Message-Id: <E1Ze25K-0002Do-2p@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1Ze25C-0002D7-R7 for ietf-http-wg@listhub.w3.org; Mon, 21 Sep 2015 14:28:42 +0000
Received: from mail-ob0-f176.google.com ([209.85.214.176]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1Ze25B-0005y2-4y for ietf-http-wg@w3.org; Mon, 21 Sep 2015 14:28:42 +0000
Received: by obbmp4 with SMTP id mp4so48611228obb.3 for <ietf-http-wg@w3.org>; Mon, 21 Sep 2015 07:28:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=P0CVGIX80VvE8TCtXXcP4w+9BF2Hh56Y9zXPykQr+ys=; b=MtDyFrlXL5jDvkP2FvsyYNycHdIwjhQ4+fK8dFRGvMZoCgHWctYPLn8Mj7BmcptArP CUCQcFo6VC4T1vjXXFe+g4+scyOWps+yDXG7pieTwm2BqUJX6/WEX3LksdoQvR8S8sxX t1DuVZSi0EboH/LhplLy1IqqYj6BUtaji26QU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=P0CVGIX80VvE8TCtXXcP4w+9BF2Hh56Y9zXPykQr+ys=; b=TZOqJ0JtHhLSsdddENkwGDakd0RG+HvTZFTWNaxBI22SVyC4lzlQx5nys5LOb7bKEu Ycsvuk/oJYRSdv8+vNcJVs3iqkqPlEeNPvPOoYSfzg1HI1Rl3k58u3vXehLKO5RBv7d4 e4LpNXJByXOElINvZ85DP1gO6RNdcxoL+hR4kmxy8/ilth48Jmy+rTS75MStkqGgAzmc N55ipsDhv5NoZsc7NHgXUsAs54iiLVlTmXJbFGg5P7sUlJTmMSgZKsiRQycEgFJ92nGY J0iMs4AJ9JyF/x2Wyh4IxDSIzFTuijSTcIYqMwwNjorKvVt7aN3m4ncJBDwP/5CueBru Z9iw==
X-Gm-Message-State: ALoCoQmjaS+FCNGXf/wBONsRUepE8iNjprXt3ifS9VM4RisXVzNCHbK6E7IMtK71zNfS45kcGSrf
MIME-Version: 1.0
X-Received: by 10.182.117.166 with SMTP id kf6mr12152036obb.58.1442845693759; Mon, 21 Sep 2015 07:28:13 -0700 (PDT)
Received: by 10.60.159.41 with HTTP; Mon, 21 Sep 2015 07:28:13 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
In-Reply-To: <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de>
Date: Mon, 21 Sep 2015 10:28:13 -0400
Message-ID: <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Eric Rescorla <ekr@rtfm.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.214.176; envelope-from=krose@krose.org; helo=mail-ob0-f176.google.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Ze25B-0005y2-4y a88dd22d2f818d0e97bdc4998c142c33
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30247
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
>> The difference is that now the sane design is mandatory, else you get unpredictable results. A sane design works with renegotiation, #209 and HTTP-layer authentication > > Not even then. Client may reuse connections on matching certs. There are installations out there that have a cert for +3 domain names, lets say A, B and C. A has anonymous access, B and C both require different client certs. Depending on which tab the browser load first, the one or the other cert gets loaded in, leading the other site to fail since the cert is not accepted. Yeah, this is a huge issue that doesn't appear in HTTP/1.1. It sounds to me like the real problem is trying to shoehorn application-layer client authentication into the transport layer. Kyle
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton