Re: Client-Cert Header draft

Graham Leggett <minfrin@sharp.fm> Fri, 24 April 2020 23:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 665703A0F38 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Apr 2020 16:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.57
X-Spam-Level:
X-Spam-Status: No, score=-3.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sharp.fm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNmdZUltgQbX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Apr 2020 16:11:22 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C789D3A0F37 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 24 Apr 2020 16:11:21 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jS7Px-0007HA-Uc for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Apr 2020 23:07:34 +0000
Resent-Date: Fri, 24 Apr 2020 23:07:33 +0000
Resent-Message-Id: <E1jS7Px-0007HA-Uc@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <minfrin@sharp.fm>) id 1jS7Pw-0007GK-KG for ietf-http-wg@listhub.w3.org; Fri, 24 Apr 2020 23:07:32 +0000
Received: from chandler.sharp.fm ([2001:470:18b1:0:5054:ff:fe6e:d541]) by mimas.w3.org with esmtp (Exim 4.92) (envelope-from <minfrin@sharp.fm>) id 1jS7Pu-0004lg-KM for ietf-http-wg@w3.org; Fri, 24 Apr 2020 23:07:32 +0000
Received: from [IPv6:2001:470:18b1:1:dcd6:38b3:c95f:5d5b] (unknown [IPv6:2001:470:18b1:1:dcd6:38b3:c95f:5d5b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTPSA id 2D75B1F14F9; Sat, 25 Apr 2020 00:07:19 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 chandler.sharp.fm 2D75B1F14F9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharp.fm; s=default; t=1587769639; bh=KvXAwH1NZCwPu2bnVtHvCvFfEWkwlZ6D5CX9PgL/Ulc=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=RXroLM0gEv7C/zCCoACBTTzjnC4oxzsCDTLLW3C7fs1kpRpOGEofUdcrCF6wAzkis b/AR0XqGAasrVqHWL0mDt9DHjAYazjJuIAJbWAw0SBKYh1QbjAxz220RTF1mdTy52D zE7WlUTq5Iu8TWDgciEfQttJLJypdkye22reuQ0k=
From: Graham Leggett <minfrin@sharp.fm>
Message-Id: <8F45E2BB-632C-4A9D-8623-5B44E70053C9@sharp.fm>
Content-Type: multipart/signed; boundary="Apple-Mail=_08B075BA-C930-4DEA-BCA3-5EA40B1F5B14"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 25 Apr 2020 01:07:09 +0200
In-Reply-To: <CA+k3eCS78WpuGPQx+Wyf4AxeWOWg+ACYBoukftBBE3tGPWROXw@mail.gmail.com>
Cc: James <james.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <5AC09590-1978-4EAB-B5D9-B8E126ED839C@sharp.fm> <e5438ea3-ceae-ef96-f568-b88ed4b19f16@gmail.com> <CA+k3eCS78WpuGPQx+Wyf4AxeWOWg+ACYBoukftBBE3tGPWROXw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Received-SPF: pass client-ip=2001:470:18b1:0:5054:ff:fe6e:d541; envelope-from=minfrin@sharp.fm; helo=chandler.sharp.fm
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jS7Pu-0004lg-KM 6234ca913ac248e9dd8ce4193c3c2498
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/8F45E2BB-632C-4A9D-8623-5B44E70053C9@sharp.fm>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37552
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 25 Apr 2020, at 00:13, Brian Campbell <bcampbell@pingidentity.com> wrote:

> The draft is trying to be agnostic to things like TLS being used from TRRP to Origin or not. But certainly doesn't rule it out. The intro has "...HTTPS is also usually employed between the proxy and the origin server…".

In essence, as a user of this I care only about two things:

- I care what was the cert; and
- I care who asserts this cert is legit.

The first bit is easy - the cert is in the header, I would like the second bit to be as easy as “verify a signature on the header”.

All the stuff about how it’s used is largely academic, as long as I get the above two things, I as a user am happy. What cert is used to sign? I don't want the RFC to care, that’s an implementation detail, let me choose a signature that works for me in my use case.

Key for me is the second line above - if I don’t have a cryptographically secure way to verify where the cert came from, the header is useless to me.

Regards,
Graham
—