Re: Genart last call review of draft-ietf-httpbis-client-cert-field-04
Brian Campbell <bcampbell@pingidentity.com> Fri, 24 February 2023 23:37 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0704DC14CE25 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Feb 2023 15:37:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.746
X-Spam-Level:
X-Spam-Status: No, score=-2.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmgwDGPvTB2B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Feb 2023 15:37:05 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25958C14CE53 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 24 Feb 2023 15:36:35 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pVhby-00BcfL-Jt for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Feb 2023 23:36:22 +0000
Resent-Date: Fri, 24 Feb 2023 23:36:22 +0000
Resent-Message-Id: <E1pVhby-00BcfL-Jt@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bcampbell@pingidentity.com>) id 1pVhbw-00Bcdt-1Z for ietf-http-wg@listhub.w3.org; Fri, 24 Feb 2023 23:36:20 +0000
Received: from mail-pf1-x433.google.com ([2607:f8b0:4864:20::433]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <bcampbell@pingidentity.com>) id 1pVhbu-00D4cg-MH for ietf-http-wg@w3.org; Fri, 24 Feb 2023 23:36:20 +0000
Received: by mail-pf1-x433.google.com with SMTP id y10so417026pfi.8 for <ietf-http-wg@w3.org>; Fri, 24 Feb 2023 15:36:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=K52JKPHlTBIUf3Ub/aZjZxa2O6LNrzXVKrFtqspufqI=; b=IMciPy8j1l9M5khPncYXbsOUWNqkfdq/4ii7Jbop2UX9UKvsYCMyZLTbmcKMj+qiSX GC1Y4ydt2dRf/KGbvVT7WhxhlGXQR59KExHaFdrlGE8OEs0OJEQ6GOW7MEdnywPVHalE D2sc7nosora0pKAcyAQG3RUOE/e5veUzWjBUZcs8oCycodnSIM+5YUBah0oSjmprgZJr 2F1Pt3kOPa3iaZx+ygFpgPNmoW03nxasyx7jqdO/NinTs0p0VOocx6jKvc8bWPbPCuSW MZdGuE0pbTqMuhAM3jM80JKdl8wDRXXo9573kCn9Z2Mt5eQltGqZWjN7HyfVhDoZzaVc 078w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=K52JKPHlTBIUf3Ub/aZjZxa2O6LNrzXVKrFtqspufqI=; b=Do+ccgMtHOxaWXg3ixFGVFzJvmfo3igIwa1SAT3j1WTtfnbjE8igltKK5zE1EW84Bk D2adP2wM7s8GZlWN6rXDHGGuZm7JJFztH7ht/+Y5ahLbRX4rky9XDNDP+TkXauHDRYIG 4xXdxchArX5zL0UZvwVkdHHpaoxdvwPVfJy3XeAluRbEwUgHSVYi241cTZsK1VR6pqJ/ JXQDN5FPACLe1+WxWBgGwXpE3eMfWKhVsdM19vVVwR1wiVn+0gi6o7NTheEVV4cXvJrW TzozcqJqreGD5k0snrR3Vouu/F/8M7Hvu/dLSCi+AaMx1txiSFeAgkS5H7P9nEkESYBu OQSw==
X-Gm-Message-State: AO0yUKX1rcEcfYNnPDoMG+ue45dc4bUX2XnU5Ca9PiEq+i8DAL5lepSM zMfrSQiACKX1yk+9q0j/jWUa7jNOiez7Nz4c4Qe0mIttqjIDPp1FUfAVN7WFx+wltax4Bdzda9l 0e8+L3nJZGa8/M+baWN6M
X-Google-Smtp-Source: AK7set9ECZAmB8hubAaW5Cwlr9EeND1VQomIXfgmeqr3oS40y34b/i5qOPKa897ueNZtJ7t939sAp7py2OcTt0ADXQg=
X-Received: by 2002:a65:6944:0:b0:4fd:2170:b2da with SMTP id w4-20020a656944000000b004fd2170b2damr3126775pgq.0.1677281767343; Fri, 24 Feb 2023 15:36:07 -0800 (PST)
MIME-Version: 1.0
References: <167724601881.59677.12957566760779128172@ietfa.amsl.com> <CA+k3eCTuHWqeyd-thayPwGZY8tqP=JVgqcMu+rtd1-zPncYC5g@mail.gmail.com>
In-Reply-To: <CA+k3eCTuHWqeyd-thayPwGZY8tqP=JVgqcMu+rtd1-zPncYC5g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 24 Feb 2023 16:35:38 -0700
Message-ID: <CA+k3eCQao=XEWo9F_3ukbi=OcuLjtwtFNLd5h87CGp8q_HC9pA@mail.gmail.com>
To: Peter Yee <peter@akayla.com>
Cc: gen-art@ietf.org, draft-ietf-httpbis-client-cert-field.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="000000000000eece6205f57a9746"
Received-SPF: pass client-ip=2607:f8b0:4864:20::433; envelope-from=bcampbell@pingidentity.com; helo=mail-pf1-x433.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=bcampbell@pingidentity.com domain=pingidentity.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1pVhbu-00D4cg-MH 50a3a714ec092a8a675c49ffdac45a49
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Genart last call review of draft-ietf-httpbis-client-cert-field-04
Archived-At: <https://www.w3.org/mid/CA+k3eCQao=XEWo9F_3ukbi=OcuLjtwtFNLd5h87CGp8q_HC9pA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50750
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
FWIW, I've prepared this PR with those changes https://github.com/httpwg/http-extensions/pull/2425 A preview can be seen here https://httpwg.org/http-extensions/cert/genart-review/draft-ietf-httpbis-client-cert-field.html As well as a diff https://author-tools.ietf.org/iddiff?url1=https://httpwg.github.io/http-extensions/draft-ietf-httpbis-client-cert-field.txt&url2=https://httpwg.github.io/http-extensions/cert/genart-review/draft-ietf-httpbis-client-cert-field.txt On Fri, Feb 24, 2023 at 3:16 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thank you Peter for the thorough review! > > I'll make those clarifications re: Client-Cert and Client-Cert-Chain in > sec 2 and the appx. Although I think adding the root certificate to > Client-Cert-Chain is more of a 'can' than a 'should' depending on > deployment needs. Regardless, I'll add some text to clarify. And will, of > course, fix all the nits/editorial comments too. > > You are absolutely right that there's potentially a lot of bytes on the > wire overhead in adding the client cert and possibly the certificate chain > to every request. However, approaches like substituting something smaller > on subsequent requests would entail different challenges and overhead - > particularly with respect to maintaining and keeping state. Also, the aim > of this draft is to document existing practice while codifying specific > details, like header names and structure, so as to hopefully facilitate > improved and lower-touch interoperability going forward (that goal/scope > could be more explicitly stated in the intro and I'll look to add something > as such). And existing practice is (largely) to stick the certs in headers > on each request. > > > > On Fri, Feb 24, 2023 at 6:40 AM Peter Yee via Datatracker < > noreply@ietf.org> wrote: > >> Reviewer: Peter Yee >> Review result: Ready with Issues >> >> I am the assigned Gen-ART reviewer for this draft. The General Area >> Review Team (Gen-ART) reviews all IETF documents being processed >> by the IESG for the IETF Chair. Please treat these comments just >> like any other last call comments. >> >> For more information, please see the FAQ at >> >> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. >> >> Document: draft-ietf-httpbis-client-cert-field-04 >> Reviewer: Peter Yee >> Review Date: 2023-02-24 >> IETF LC End Date: 2023-02-23 >> IESG Telechat date: Not scheduled for a telechat >> >> Summary: This draft documents a standardized means of conveying a client >> certificate and chain between a TLS-terminating reverse proxy (TTRP) and >> an >> origin server so as to allow the origin server to make decisions based on >> the >> identity of the client. This draft is fairly straightforward and not >> difficult >> to follow, but there are a couple of issues that could use clarification. >> [Ready with issues.] >> >> Major issues: None >> >> Minor issues: >> >> The text defining the header fields for Client-Cert and Client-Cert-Chain >> in >> section 2 along with the example in Appendix A should make clear: >> >> 1) The client certificate placed in Client-Cert is not included in the >> optional >> Client-Cert-Chain. 2) Client-Cert-Chain should only appear when >> Client-Cert is >> also present. 3) That the root certificate of the chain should be added >> to the >> Client-Cert-Chain by the TTRP. >> >> Confusion might arise because the header definitions make no mention of >> this, >> but the example in Appendix A shows a certificate chain (Figure 1) that is >> inclusive of a client certificate, but Figure 3 shows that the client >> certificate is not included in the chain. The text in Appendix A says the >> client only presents the client and intermediate certificate, so point #3 >> above >> is needed. >> >> In section 2.4, second paragraph, second sentence: this seems really >> expensive >> to add the client cert and possibly the certificate chain to every >> request the >> client sends to the TTRP. The sending of those fields to the could >> outweigh the >> size of the request by quite a bit. Would it be possible to substitute >> something smaller on subsequent requests between the TTRP and the origin >> server >> since they already require a trusted connection between them? A hash of >> the >> field(s) value(s)? Something else that helps combat the potential >> overhead? I >> realize that I'm asking about a non-trivial change to the draft, which is >> easy >> for me to do and difficult for the authors to implement. ;-) >> >> Nits/editorial comments: >> >> General: >> >> Change all occurrences of “mutually-authenticated” to “mutually >> authenticated”. >> >> Specific: >> >> Page 6, section 2.4, 2nd paragraph, 2nd sentence: change the “are” to >> “is”. >> >> Page 8, section 3.2, 3rd sentence: append a comma after “e.g.”. >> >> Page 8, section 4, 1st paragraph, 1st sentence: change “server side” to >> “server-side”. >> >> Page 8, section 4, 2nd paragraph, 2nd sentence: append a comma after >> “fields”. >> >> Page 9, 3rd paragraph, 5th sentence: append a comma after “Alternatively”. >> >> Page 15, section B.1, 3rd sentence: change the semicolon after “possible” >> to a >> comma. >> >> Page 15, section B.3, 1st sentence: delete one period after “etc”. >> >> Page 16, 1st partial paragraph: append a comma after “full”. >> >> >> >> -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- Genart last call review of draft-ietf-httpbis-cli… Peter Yee via Datatracker
- Re: Genart last call review of draft-ietf-httpbis… Brian Campbell
- Re: Genart last call review of draft-ietf-httpbis… Brian Campbell
- RE: Genart last call review of draft-ietf-httpbis… Mike Bishop