Re: Client Certificates - re-opening discussion
Kyle Rose <krose@krose.org> Mon, 21 September 2015 17:04 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBB6D1A92BB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 10:04:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.39
X-Spam-Level:
X-Spam-Status: No, score=-6.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yb7PQF0mmmmr for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 10:04:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 689401A92B7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 Sep 2015 10:04:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ze4RD-00006Y-6a for ietf-http-wg-dist@listhub.w3.org; Mon, 21 Sep 2015 16:59:35 +0000
Resent-Date: Mon, 21 Sep 2015 16:59:35 +0000
Resent-Message-Id: <E1Ze4RD-00006Y-6a@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1Ze4R6-0008W1-UR for ietf-http-wg@listhub.w3.org; Mon, 21 Sep 2015 16:59:28 +0000
Received: from mail-ob0-f179.google.com ([209.85.214.179]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1Ze4Qy-0002O9-NY for ietf-http-wg@w3.org; Mon, 21 Sep 2015 16:59:27 +0000
Received: by obbzf10 with SMTP id zf10so86687847obb.2 for <ietf-http-wg@w3.org>; Mon, 21 Sep 2015 09:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UAHr9+lxgdNOP1ymW25V6BCr13fU9eiPQ0PdA5hBOFY=; b=NkWGvaotG7NaXzP757Q1bC9UGeGI28f4XwVtNNX7rD0ZLSQgR5UpNKF+1XCI3BJvvp c4EnRJFbdZkDOUdJZOSb+Xy+7n7ejvxS2AeXGw71XrvMniWBUtDQhpoj0662rAeunjvy YT7VJIKPqHoNl8LIUyP8s6xgye9Mvk8jEdSpY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=UAHr9+lxgdNOP1ymW25V6BCr13fU9eiPQ0PdA5hBOFY=; b=DVIbGddg+8C2vc/Tm8i1e5WihyrHAQJFYahJ8fzdV00frXnNhf2G4HXXJjXFtLiJje LPvumdVlq+0Sf7+ZW/n0pfX4TRf8wTsR6T5BQdBpsQJNBQMkDcntT2W0SQpoOBbbR7pf KnVVdgcGQCUwU/PNdsMmM8UPTHnHKgMO+xltVk7/JKQHsqbgbsxLGk4XkG+RuAX1RC+p ziOr1JI6RWeGve5SeONGQqOOp4fmZKXoGATVNZ38H1SZ9cdLyhGuu8gazFDGs8vyMfyH X84zV4cZRITl/f3WbS14eVj0GcH3iApvqMs2ZCwYakDVdvlraZWUq0Ywym8W1pgU4gaT oNSg==
X-Gm-Message-State: ALoCoQnHuDkjUw3tJGhseZlPzg4Yz7P+QrM4sWXt6PhNKrhtFPeVddnunv0sBmPq4IWsPtrixCpD
MIME-Version: 1.0
X-Received: by 10.60.131.244 with SMTP id op20mr12920636oeb.24.1442854733724; Mon, 21 Sep 2015 09:58:53 -0700 (PDT)
Received: by 10.60.159.41 with HTTP; Mon, 21 Sep 2015 09:58:53 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
In-Reply-To: <4456BAAA-125B-4038-AAC7-77A20F0C75B1@co-operating.systems>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de> <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com> <4456BAAA-125B-4038-AAC7-77A20F0C75B1@co-operating.systems>
Date: Mon, 21 Sep 2015 12:58:53 -0400
Message-ID: <CAJU8_nV4=iPowBOysL9Wz5Wyrm4OiKs0J4s6E3fmCQmv9=MyHw@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: Henry Story <henry.story@co-operating.systems>
Cc: Stefan Eissing <stefan.eissing@greenbytes.de>, Yoav Nir <ynir.ietf@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Eric Rescorla <ekr@rtfm.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.214.179; envelope-from=krose@krose.org; helo=mail-ob0-f179.google.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Ze4Qy-0002O9-NY 0df085592305c38f47d523d7a9ac9c65
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/CAJU8_nV4=iPowBOysL9Wz5Wyrm4OiKs0J4s6E3fmCQmv9=MyHw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30251
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> It is true that authentication at the TLS layer is much rougher, as > I think the client can only authenticate with 1 certificate not more, > per connection. Right, and the inability to support this leads to a bunch of kludgey-feeling solutions, like 421s. This situation was always possible with HTTP/1.1, but is a lot more likely with H2. Pushing the authentication into the application layer seems like it could be cleaner. Provide browser support for setting a CertificateVerify header (e.g., based on a signature of the channel binding), something that can be cached by the client and server and reused on all relevant streams over the same connection. Signalling for "you need to authenticate" and sending the client certificate to the server would then be entirely at the application layer, possibly with the support of HTTP status codes, and TLS client certificate authentication wouldn't be used in this case. This sort of application layer approach may also make a better client UX more natural, by moving the logic for prompting the user for a certificate into the web app UI. Kyle
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton