Re: Client Certificates - re-opening discussion
Stefan Eissing <stefan.eissing@greenbytes.de> Sat, 19 September 2015 07:23 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 680F11A1B49 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Sep 2015 00:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YhfmsTovkoT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Sep 2015 00:23:40 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E34EF1A1B39 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 19 Sep 2015 00:23:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZdCQn-0006Bo-0k for ietf-http-wg-dist@listhub.w3.org; Sat, 19 Sep 2015 07:19:33 +0000
Resent-Date: Sat, 19 Sep 2015 07:19:33 +0000
Resent-Message-Id: <E1ZdCQn-0006Bo-0k@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1ZdCQf-0006B3-2r for ietf-http-wg@listhub.w3.org; Sat, 19 Sep 2015 07:19:25 +0000
Received: from mail.greenbytes.de ([217.91.35.233]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1ZdCQb-0006pn-CG for ietf-http-wg@w3.org; Sat, 19 Sep 2015 07:19:24 +0000
Received: from [192.168.178.55] (unknown [93.211.123.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id 6C22715A0309; Sat, 19 Sep 2015 09:18:57 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Stefan Eissing <stefan.eissing@greenbytes.de>
X-Mailer: iPhone Mail (13A344)
In-Reply-To: <20150918205734.GA23316@LK-Perkele-VII>
Date: Sat, 19 Sep 2015 09:18:59 +0200
Cc: Eric Rescorla <ekr@rtfm.com>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Received-SPF: pass client-ip=217.91.35.233; envelope-from=stefan.eissing@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: AWL=-1.162, BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZdCQb-0006pn-CG 6398ae99e8aad8e40b01c6e62acd05e4
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30225
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> Am 18.09.2015 um 22:57 schrieb Ilari Liusvaara <ilari.liusvaara@elisanet.fi>: > >> On Fri, Sep 18, 2015 at 01:48:50PM -0700, Eric Rescorla wrote: >>> On Fri, Sep 18, 2015 at 10:05 AM, Mark Nottingham <mnot@mnot.net> wrote: >>> >>> Hi Henry, >>> >>> Thanks, but this is a much more narrowly-scoped discussion -- how to make >>> client certs as they currently operate work in HTTP/2. >> >> >> Is this a question about HTTP/2's limitations versus HTTP/1.1 or about >> deficiencies >> in HTTP/1.1 that HTTP/2 has not fixed? > > I think this is about the extra limitations of HTTP/2 regarding client > authentication caused by major design differences between HTTP/1.1 and > HTTP/2. > > Client certs in HTTP/1.1 aren't too great, but at least those don't > seem to even remotely have the same problems as client certs in HTTP/2 > (especially when in web environment). Just to have everyone on the same page. The problems - as we see them in httpd - are 1. http/1.1 requests may trigger client certs which may require renegotiation. Processing is no longer sequential with http/2, causing conflicts. Even if mutexed what does connection state and h2 stream have to say to each other and for how long? 2. connection reuse for different hosts is much more likely as a lot of sites have a long list of subjectAltNames. That raises the likelihood of conflicts as described above. Any advice on how to address this in an interoperable way is appreciated. //Stefan
- Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Martin Thomson
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion Mark Nottingham
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Eric Rescorla
- Re: Client Certificates - re-opening discussion Ilari Liusvaara
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Eric Rescorla
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Mike Belshe
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Stephen Farrell
- Re: Client Certificates - re-opening discussion Kyle Rose
- Re: Client Certificates - re-opening discussion Jason Greene
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion henry.story@bblfish.net
- Re: Client Certificates - re-opening discussion Alex Rousskov
- Re: Client Certificates - re-opening discussion Mark Nottingham
- Re: Client Certificates - re-opening discussion Stefan Eissing
- Re: Client Certificates - re-opening discussion Martin Thomson
- RE: Client Certificates - re-opening discussion Mike Bishop
- Re: Client Certificates - re-opening discussion Yoav Nir
- Re: Client Certificates - re-opening discussion Ryan Hamilton