IETF Logo Mail Archive

Re: Report on preliminary decision on TLS 1.3 and client auth

Martin Thomson <martin.thomson@gmail.com> Thu, 24 September 2015 04:20 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F791B3023 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Sep 2015 21:20:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WEq-OqzYDE7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Sep 2015 21:20:47 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9975C1B3020 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 23 Sep 2015 21:20:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zexyc-0004lG-Ti for ietf-http-wg-dist@listhub.w3.org; Thu, 24 Sep 2015 04:17:46 +0000
Resent-Date: Thu, 24 Sep 2015 04:17:46 +0000
Resent-Message-Id: <E1Zexyc-0004lG-Ti@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1ZexyV-0004kV-DU for ietf-http-wg@listhub.w3.org; Thu, 24 Sep 2015 04:17:39 +0000
Received: from mail-yk0-f173.google.com ([209.85.160.173]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1ZexyS-00083l-SD for ietf-http-wg@w3.org; Thu, 24 Sep 2015 04:17:38 +0000
Received: by ykdg206 with SMTP id g206so62440596ykd.1 for <ietf-http-wg@w3.org>; Wed, 23 Sep 2015 21:17:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PKgQTbZmeNVi24MZ37ghAu3u1Kz3MkwSB6uh1doPatg=; b=TYUfyAtlc5JyV+YRGFE1CQEFicmY83a/kcZPVGD0dTE7eNipS3TiDxg8POLa7LBllb l8HjHo2osTBgB6KdEtK3cdyyzPvGwz9Co61adRvivQmCiZH3LW8h4H9B/DW77nEz2S11 dC1BwXZ6wPiTrhX7RcwMNr+dbXL1CrdIO3rfCpJaewX35XPMAl09vdxs+kRUvIim11ld xm42X31s0pJfWRhBPQDRHd/F8yl8/GAur7LjmC4AnnFgbUmlDXapWH9sq32UNA0E2L31 Y0abrpzcx2sDA1zfQLMEUJ2bbcjqADOEqwjnIE2qWdO7MfzwI6+d0sTevm7+lXdM8jHR MeLw==
MIME-Version: 1.0
X-Received: by 10.13.234.80 with SMTP id t77mr29557141ywe.89.1443068230793; Wed, 23 Sep 2015 21:17:10 -0700 (PDT)
Received: by 10.129.133.130 with HTTP; Wed, 23 Sep 2015 21:17:10 -0700 (PDT)
In-Reply-To: <5603745A.7020509@treenet.co.nz>
References: <CABkgnnWREq6X+chcvookChGAZGxkJ6Zs_7FGwz7Mbn12XMxewQ@mail.gmail.com> <5603599F.8090303@treenet.co.nz> <CABkgnnVq9FDeGf_=JF0m0AkgfO1G3DVV2QN_aPrbYnFtfRLFrw@mail.gmail.com> <5603745A.7020509@treenet.co.nz>
Date: Wed, 23 Sep 2015 21:17:10 -0700
Message-ID: <CABkgnnVXx-WjacmDj_XKXXTVa7SXBDETNXJd2LQFisExwWcF1A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.160.173; envelope-from=martin.thomson@gmail.com; helo=mail-yk0-f173.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.839, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZexyS-00083l-SD 87b2714632f6d90df61120d7f62919fd
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Report on preliminary decision on TLS 1.3 and client auth
Archived-At: <http://www.w3.org/mid/CABkgnnVXx-WjacmDj_XKXXTVa7SXBDETNXJd2LQFisExwWcF1A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30270
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 23 September 2015 at 20:56, Amos Jeffries <squid3@treenet.co.nz> wrote:
> If it is stream-specific in terms of HTTP/2 streams rather than TLS
> streams, then the frame as in option 2 should be okay. Option 1 still
> has major issues with www-auth vs proxy-auth.

Right.  To expand on the problem here, at least in the browser context
- and likely in other cases as well - it is important for the client
to be able to identify which request triggered the certificate
request.  If there are requests from multiple browser windows (or even
applications) sharing the same connection and a CertificateRequest
appears, the client needs to know where to show the associated UX, if
there is any.

I certainly agree about the e2e and hbh concerns.  An end-to-end
message would prevent the hop-by-hop TLS from being tweaked.

>> Also, while I think of it, we should probably forbid the use of this
>> on server-initiated streams (i.e., with server push).  That could
>> cause problems.
>>
>
> I can see that as being a SHOULD NOT, or forbid on PUSH_PROMISE
> specifically. But using a more general definitio like "server initiated"
> may cause conflicts with the bi-directional h2 extension.

mhm.

v2.14.0 | Report a Bug | By Email