IETF Logo Mail Archive

Re: FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-05.txt

Kazuho Oku <kazuhooku@gmail.com> Mon, 13 November 2017 07:17 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8977128C82 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 12 Nov 2017 23:17:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Level:
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lll6fks4GCBP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 12 Nov 2017 23:17:34 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71FF012008A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 12 Nov 2017 23:17:34 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1eE8sa-0000ri-Bc for ietf-http-wg-dist@listhub.w3.org; Mon, 13 Nov 2017 07:10:00 +0000
Resent-Date: Mon, 13 Nov 2017 07:10:00 +0000
Resent-Message-Id: <E1eE8sa-0000ri-Bc@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <kazuhooku@gmail.com>) id 1eE8sU-0000qi-FY for ietf-http-wg@listhub.w3.org; Mon, 13 Nov 2017 07:09:54 +0000
Received: from mail-pg0-f41.google.com ([74.125.83.41]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <kazuhooku@gmail.com>) id 1eE8sS-0005Kp-Id for ietf-http-wg@w3.org; Mon, 13 Nov 2017 07:09:53 +0000
Received: by mail-pg0-f41.google.com with SMTP id c123so4032098pga.11 for <ietf-http-wg@w3.org>; Sun, 12 Nov 2017 23:09:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=+EqjNytdYLQUGm9T3pFueUGJ7ulWQR06wfIgY0/lRNg=; b=uSBEYemv5HtREWgrzBG1YBS8IhO3LO+/IH7nPKnhHLSaPWbrarmwyB4Qdvcfr9MmQf KWYWYULPF839dF3e9Bq0Zt+kFhfqX1txD47c2kviQSrrAgfTDXONa23QfUbwKG1jp8+y RG3edueD+op4/00pO4mi78Zmpl6E5H4KsgXT4v4Q4Xs/cHR0KSxFotVFl7BVVM1yoHNT JQ4Z75pTC1wjmnScyzloBVz4hBWBH02gN9qMCNqKcwotN6BKjrxj0HU/QxgA3gYzPbjD bfLInh0uZP2W65oPMKjWqIXTvPTK0ZfYVij1smQ0SSuql3PwO5NGPT0WsZ+oJtnVWJHJ acgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=+EqjNytdYLQUGm9T3pFueUGJ7ulWQR06wfIgY0/lRNg=; b=NZQlBKqxtL64wTsP2KeA1is1ah2pvx0kQ9JDCcpTIOf6u11YnI46303Q3WmM3T53XQ iZH/Lp9HY60vZcse3VOFmX/uiYMxXgKwiK9Gchk6Et81v1ddAm2du/kjDXk7q3j6P/4Q kBjMedHYt1+52zGSA0owlARCYxBIJ7/PnA20VQd9jeCRozzwt9jYuYIM6uRZgASXa+vj pRd+PnmXYQ+s3zvEEJvWUgvOpnwAIiJliJwDnk8b0fCAuUY01bv/hOokZYbP8Q49oIGV Fhho7qJ1JyyoVIBihpoKh4f/AFeU4S40yihjQMLhwHDJWOlV3psa2GBPGJR7fLwdbZXF +Tlg==
X-Gm-Message-State: AJaThX6NhJC5e/v96csF3RwyEf/nP7lOB0e11U+5Ky+X8YSC3Ugb4QL6 KDzVinrYMaSMqQneS3cOLY205SYRVnimc6f8rT9mMw==
X-Google-Smtp-Source: AGs4zMZq8nVQU7pMlFFhGZkYcwKyIFQnVtYQ6CygwXdvzapwrcal15ImQkRmVOZwc4uqyqY/GR+EluvoyHP2xWpQGew=
X-Received: by 10.101.100.76 with SMTP id s12mr3752616pgv.173.1510556970984; Sun, 12 Nov 2017 23:09:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.159.9 with HTTP; Sun, 12 Nov 2017 23:09:30 -0800 (PST)
In-Reply-To: <MWHPR08MB347212B6F2F9DDD092728354DA5E0@MWHPR08MB3472.namprd08.prod.outlook.com>
References: <150939960176.7740.5723475746682417243.idtracker@ietfa.amsl.com> <MWHPR08MB347212B6F2F9DDD092728354DA5E0@MWHPR08MB3472.namprd08.prod.outlook.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Mon, 13 Nov 2017 15:09:30 +0800
Message-ID: <CANatvzzO0gsuvjBjCuGuvxenubnVt4G==qw1huzjSd57V+8A9Q@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=74.125.83.41; envelope-from=kazuhooku@gmail.com; helo=mail-pg0-f41.google.com
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: AWL=-0.066, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1eE8sS-0005Kp-Id 157980c401d2ae934b3008678089e18f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FW: New Version Notification for draft-bishop-httpbis-http2-additional-certs-05.txt
Archived-At: <https://www.w3.org/mid/CANatvzzO0gsuvjBjCuGuvxenubnVt4G==qw1huzjSd57V+8A9Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34780
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi, Mike, Nick, Martin,

I have briefly asked this in the IETF meeting, but let me question if
it sounds logical to adjust the approach so that the client will be
required to proactively specify the certificate that is associated to
each HTTP request.

I ask this due to the following reason.

In HTTP/1, it was always clear from the server’s viewpoint which
certificate is associated to a HTTP request. This is because the
underlying connection allowed only one client certificate at maximum
to be used. CGI is designed after that model. A CGI gateway is
expected to designate _at most one_ certificate that has been
associated to the request by using a set of environment variables
(e.g., `SSL_CLIENT_S_DN` [1]). I would assume that it is the same for
other de-facto standards that have evolved from CGI (e.g., FastCGI,
Rack).

The secondary certificates draft changes the model. Under the model
proposed by the draft, the server is expected to choose from one of
the certificates that it has received with AUTOMATIC_USE flag set, or
to request the client to send a new certificate.

However, to me (as a HTTP server developer that acts as a CGI gateway)
it is unclear how a server can make such choice. Applications that are
run using the CGI protocol _might_ have sufficient information to make
such choice, but that is not the case for a CGI gateway.

That means that unless the draft (in the following revisions) specify
the guess logic that I should implement, I would be forced into
sending CERTIFICATE_NEEDED for every HTTP request I receive. Doing so
would introduce one extra roundtrip.

Considering that, I wonder if you could adjust the approach proposed
in the draft to require the client to proactively clarify the
certificate that is associated to each HTTP request.

For example, I believe that the draft could specify that:
* If the client does not specify a certificate that is associated to a
request, a server MAY request the client to specify the certificate.
* The client can specify the certificate that is associated to a
request proactively, instead of sending USE_CERTIFICATE frame in
response to a CERTIFICATE_NEEDED frame.

By changing the approach as such, the only case in which two
roundtrips are required for processing a request could become when the
client is required to send a new certificate. Also, AUTOMATIC_USE flag
becomes unnecessary.

One downside caused by such change is that the bandwidth slightly
increases due to the fact that the client would be required to specify
the certificate that is associated to every HTTP request. However that
is just sending Cert-ID per every HTTP request; I believe that the
increase of bandwidth is negligible.

To summarize, I am suggesting to push the responsibility of choosing
the certificate back to the client. Note that in the current draft the
client is still required to make such choice if the server sends a
CERTIFICATE_NEEDED frame; so I think requiring the client to _always_
make the choice does not increase the complexity on the client side.

[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

2017-10-31 8:14 GMT+08:00 Mike Bishop <mbishop@evequefou.be>:
> In preparation for Singapore, we've updated the Additional Certs draft to track changes in TLS 1.3 and the Exported Authenticators TLS draft.  There's been substantial interest here, and we'll be discussing the draft during the WG meeting.
>
> -----Original Message-----
> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> Sent: Monday, October 30, 2017 2:40 PM
> To: Martin Thomson <martin.thomson@gmail.com>; Mike Bishop <mbishop@evequefou.be>; Nick Sullivan <nick@cloudflare.com>
> Subject: New Version Notification for draft-bishop-httpbis-http2-additional-certs-05.txt
>
>
> A new version of I-D, draft-bishop-httpbis-http2-additional-certs-05.txt
> has been successfully submitted by Mike Bishop and posted to the IETF repository.
>
> Name:           draft-bishop-httpbis-http2-additional-certs
> Revision:       05
> Title:          Secondary Certificate Authentication in HTTP/2
> Document date:  2017-10-30
> Group:          Individual Submission
> Pages:          21
> URL:            https://www.ietf.org/internet-drafts/draft-bishop-httpbis-http2-additional-certs-05.txt
> Status:         https://datatracker.ietf.org/doc/draft-bishop-httpbis-http2-additional-certs/
> Htmlized:       https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs-05
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-bishop-httpbis-http2-additional-certs-05
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-bishop-httpbis-http2-additional-certs-05
>
> Abstract:
>   TLS provides fundamental mutual authentication services for HTTP,
>   supporting up to one server certificate and up to one client
>   certificate associated to the session to prove client and server
>   identities as necessary.  This draft provides mechanisms for
>   providing additional such certificates at the HTTP layer when these
>   constraints are not sufficient.
>
>   Many HTTP servers host content from several origins.  HTTP/2
>   [RFC7540] permits clients to reuse an existing HTTP connection to a
>   server provided that the secondary origin is also in the certificate
>   provided during the TLS [I-D.ietf-tls-tls13] handshake.
>
>   In many cases, servers will wish to maintain separate certificates
>   for different origins but still desire the benefits of a shared HTTP
>   connection.  Similarly, servers may require clients to present
>   authentication, but have different requirements based on the content
>   the client is attempting to access.
>
>   This document describes how TLS exported authenticators
>   [I-D.ietf-tls-exported-authenticator] can be used to provide proof of
>   ownership of additional certificates to the HTTP layer to support
>   both scenarios.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email