IETF Logo Mail Archive

Re: Report on preliminary decision on TLS 1.3 and client auth

Yoav Nir <ynir.ietf@gmail.com> Mon, 26 October 2015 07:07 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32B0B1A9047 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Oct 2015 00:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8oziLJtHwmUw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Oct 2015 00:07:54 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F661A9045 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 26 Oct 2015 00:07:54 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZqbpJ-0005az-75 for ietf-http-wg-dist@listhub.w3.org; Mon, 26 Oct 2015 07:04:17 +0000
Resent-Date: Mon, 26 Oct 2015 07:04:17 +0000
Resent-Message-Id: <E1ZqbpJ-0005az-75@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1ZqbpF-0005aD-MN for ietf-http-wg@listhub.w3.org; Mon, 26 Oct 2015 07:04:13 +0000
Received: from mail-wi0-f170.google.com ([209.85.212.170]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <ynir.ietf@gmail.com>) id 1ZqbpC-00038Z-QB for ietf-http-wg@w3.org; Mon, 26 Oct 2015 07:04:12 +0000
Received: by wicll6 with SMTP id ll6so100056705wic.0 for <ietf-http-wg@w3.org>; Mon, 26 Oct 2015 00:03:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4Ub+cm92dvLyIM9nkCABpXFYpHzHWVquoVMZV3K67Iw=; b=nFFv0E1sEjG9s9TCtwqWeywnnG9+hQMsyRyj1DCL2TanqcC4rOE1lrcAznbFr6TOG6 qJjp9shtM/M4hLcs9aTF/vaYnlLS1a2FUco7KJapoCMicTaKuz38lBT1xlykMuifRYw8 S+UT21o+i7WcRBUZaODrG+YRslAHlbgL33cEYTqtaW+kGzwBy0NsjnNoYrkNm0XvlZwd oVd+mFp264cz6xaVt9YP6uVl9l9+u0xUHVDVWf/pQ8Vjn0NQI6wFduJWZsyxtTBs1QCO Nz81z10jY1sjaOK3eoGvBcGghg1BPihVF+hQ8V6+BhojfUIYZ04IhAgsvQ+PwviEzS1e 7LSw==
X-Received: by 10.194.78.35 with SMTP id y3mr18966645wjw.3.1445843023547; Mon, 26 Oct 2015 00:03:43 -0700 (PDT)
Received: from [10.4.29.19] ([80.179.9.7]) by smtp.gmail.com with ESMTPSA id cq8sm11466253wib.12.2015.10.26.00.03.15 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 26 Oct 2015 00:03:42 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CABkgnnVhYrodst7OMLGsyebLYXqF+S2qF+aaJiQx28xrAZ-a7w@mail.gmail.com>
Date: Mon, 26 Oct 2015 09:03:08 +0200
Cc: "Jason T. Greene" <jason.greene@redhat.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A6CD7323-074D-49B0-934E-A64CE791CF39@gmail.com>
References: <CABkgnnWREq6X+chcvookChGAZGxkJ6Zs_7FGwz7Mbn12XMxewQ@mail.gmail.com> <CABkgnnVeWXQ0KM+EuGrK6Nj6yuJKP6jGb51g2bN1+G_MHLcJig@mail.gmail.com> <20151020062455.GA476@LK-Perkele-V2.elisa-laajakaista.fi> <633F3373-BCB3-4985-ACE7-209F02A167B6@redhat.com> <CABkgnnVhYrodst7OMLGsyebLYXqF+S2qF+aaJiQx28xrAZ-a7w@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3096.5)
Received-SPF: pass client-ip=209.85.212.170; envelope-from=ynir.ietf@gmail.com; helo=mail-wi0-f170.google.com
X-W3C-Hub-Spam-Status: No, score=-5.3
X-W3C-Hub-Spam-Report: AWL=-0.593, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1ZqbpC-00038Z-QB 2e07c08d6fa262faabc1ddd393827338
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Report on preliminary decision on TLS 1.3 and client auth
Archived-At: <http://www.w3.org/mid/A6CD7323-074D-49B0-934E-A64CE791CF39@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30402
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> On 20 Oct 2015, at 9:10 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 20 October 2015 at 05:31, Jason T. Greene <jason.greene@redhat.com> wrote:
>> Wouldn't the semantics be a hell of a lot cleaner, and implementations a lot simpler, if we just pushed this to an HTTP cert auth protocol?
> 
> Yes, yes it would.  A better authentication mechanism might be better
> still.  But that would be a new protocol.  We have plenty of evidence
> to suggest that a new protocol would not be acceptable.  As I said, we
> are already at plan B.

An HTTP cert auth protocol is just an HTTP authentication method, much like Basic, Digest or the experimental ones we’re standardizing in http-auth. The framework is already there in all clients and servers.  It has the advantage that you don’t have to skip between protocol layers - it’s all in HTTP. This way the client is in control of which streams are authenticated and which are not, so Imari’s security hole could go away. 

Practically you probably don’t want to sign each request, so applications are likely to set a cookie (or tokbind) after a single authentication and use that to continue the authentication to other resources, but that’s the way they do it with other forms of authentication anyway.

Yoav

v2.23.0 | Report a Bug | By Email