Re: Client Certificates - re-opening discussion
Yoav Nir <ynir.ietf@gmail.com> Sun, 20 September 2015 21:52 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382521A8AB5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 20 Sep 2015 14:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OebKae1m4Jkp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 20 Sep 2015 14:52:54 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 676E51A8A91 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 20 Sep 2015 14:52:54 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZdmUV-00063I-C7 for ietf-http-wg-dist@listhub.w3.org; Sun, 20 Sep 2015 21:49:47 +0000
Resent-Date: Sun, 20 Sep 2015 21:49:47 +0000
Resent-Message-Id: <E1ZdmUV-00063I-C7@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1ZdmUO-00062X-T1 for ietf-http-wg@listhub.w3.org; Sun, 20 Sep 2015 21:49:40 +0000
Received: from mail-wi0-f180.google.com ([209.85.212.180]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1ZdmUN-0004N9-Gu for ietf-http-wg@w3.org; Sun, 20 Sep 2015 21:49:40 +0000
Received: by wiclk2 with SMTP id lk2so88603661wic.1 for <ietf-http-wg@w3.org>; Sun, 20 Sep 2015 14:49:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=TCwPbZwk4wcvk+pQKwQQ871UvzVccisHRelyMIe7yy4=; b=E+NKfNTyfURo2A4Svpbx4RjFZIWiMwFDxaQTlmEiV/U/2caXvseVJl+S3+TZyKs3i6 FS6ZFDlMHG+HwI8+bs5TAkRqNed+oSHz54F2n2+YF2IZpaVcpG1ibq9LQDMQrgx9xqv+ f1ua5MC7ddn8s6HCene92hUlmAmApQUe4IKbpdXFErLOkDSW78cANELD+Cuwve0J3izq SzZs/zi0PunVltE7CO1q6j399E+4OhPm9Q9q1Dm1QeGDKx/eLdpAT0AssoMbYXc/q8gL GlSy5tt0IMc+Smp1SECt9pyaKNM/8MPZ5rzrOnu4tzDex6JQ3wbOgcjdkjHlHsYWYT16 gcFQ==
X-Received: by 10.180.85.229 with SMTP id k5mr10461746wiz.76.1442785752414; Sun, 20 Sep 2015 14:49:12 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id s16sm10172925wik.13.2015.09.20.14.49.10 (version=TLS1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 20 Sep 2015 14:49:11 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_322C4033-AA5D-4B21-A0B0-8B76B95FA938"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com>
Date: Mon, 21 Sep 2015 00:49:08 +0300
Cc: Eric Rescorla <ekr@rtfm.com>, Stefan Eissing <stefan.eissing@greenbytes.de>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
X-Mailer: Apple Mail (2.2104)
Received-SPF: pass client-ip=209.85.212.180; envelope-from=ynir.ietf@gmail.com; helo=mail-wi0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=-0.818, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1ZdmUN-0004N9-Gu ea4ad725bed3b56224a5652fd62de790
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30239
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, Mike > On Sep 20, 2015, at 1:10 AM, Mike Bishop <Michael.Bishop@microsoft.com> wrote: > > Kind of a non-problem, but it’s also the problem itself. The HTTP layer will call different APIs in TLS, but the API HTTP exposes (get client certificate) won’t necessarily change. > · HTTP/1.x + TLS <=1.2 – Client certs work via renegotiation > · HTTP/x + TLS 1.3 – Client certs work via new TLS feature that isn’t renegotiation > · HTTP/2 + TLS 1.2 – How do client certs work? > > It’s a time-scoped problem, since we hope everyone will eventually be on TLS 1.3, but it’s a nearly-universal problem at the moment. There are many proposed kludges for HTTP/2 over TLS 1.2 in the meantime, but we need to find something with broader support than any idea currently has. I’m not sure I see how PR #209 solves the issue. HTTP/2 prohibited renegotiation because HTTP/2 is non-sequential. A bunch of requests may be in process and it is non-deterministic which responses will be generated before, during and after the client authentication. One resource might trigger the renegotiation, but several others might receive different responses based on whether or not the user is authenticated. Now suppose we replace renegotiation with the mechanism proposed in PR #209. Some resource triggers the TLS layer, but instead of triggering a re-negotiation by sending a HelloRequest, it triggers client certificate authentication by sending a CertificateRequest. This is different in some senses: there is no change to the master secret; the old channel bindings are still valid; session keys are not replaced. I don’t see what difference this makes. The connection still changes from a state where the client is anonymous to a state where the client is authenticated. Requests sent by the client still may have been responded to before, during or after the change of state. Maybe I’m missing something, but I don’t see what #209 does that renegotiation did not. Yoav
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton