IETF Logo Mail Archive

RE: Client Certificates - re-opening discussion

Mike Bishop <Michael.Bishop@microsoft.com> Mon, 21 September 2015 18:27 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88FBA1B33FF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 11:27:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNp9R4hnnzFg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 21 Sep 2015 11:27:39 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D9D21ACDEE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 21 Sep 2015 11:27:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ze5lF-0002qa-Lp for ietf-http-wg-dist@listhub.w3.org; Mon, 21 Sep 2015 18:24:21 +0000
Resent-Date: Mon, 21 Sep 2015 18:24:21 +0000
Resent-Message-Id: <E1Ze5lF-0002qa-Lp@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1Ze5l5-0002m6-0p for ietf-http-wg@listhub.w3.org; Mon, 21 Sep 2015 18:24:11 +0000
Received: from mail-bn1bon0114.outbound.protection.outlook.com ([157.56.111.114] helo=na01-bn1-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1Ze5l2-00070P-FN for ietf-http-wg@w3.org; Mon, 21 Sep 2015 18:24:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CgGcKuKXEJ9H2nG/McAsLgTSIfcC2MTB2LfCb6DD1hU=; b=DUjdmlxXlfv8SwXAH4rcDjAFa2Q/05D66x14UCLF8gxRzUIlhRSXPh5J2FrRTq/no6WkU4K8/yuXN61k3oGDUT6vwdM7tduT8shoQUsCyVNFQZgy18eQHEw64Bile0Gr9x1Tqu1VWkWgPOaG2tgq6VG0vREa0TbPvU6WYrD928E=
Received: from CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) by CY1PR03MB1374.namprd03.prod.outlook.com (10.163.16.28) with Microsoft SMTP Server (TLS) id 15.1.274.16; Mon, 21 Sep 2015 18:23:40 +0000
Received: from CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) by CY1PR03MB1374.namprd03.prod.outlook.com ([10.163.16.28]) with mapi id 15.01.0274.009; Mon, 21 Sep 2015 18:23:40 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Client Certificates - re-opening discussion
Thread-Index: AQHQ8ZZXEEnFRnQG4U+imwUG9Fc1t55ChnhKgAA9MwCAAAJwAIAArZ+AgAC4BACAAD7oMIABjocAgABckDCAAC8vAIAAaFsAgAALpACAAAQwgIAAEzaAgAAUngCAABV7gIAAEs2AgAACvAA=
Date: Mon, 21 Sep 2015 18:23:40 +0000
Message-ID: <CY1PR03MB137427E0C66A2297C844DDBF87460@CY1PR03MB1374.namprd03.prod.outlook.com>
References: <63DECDF0-AB59-4AFD-8E48-8C2526FD6047@mnot.net> <42DDF1C6-F516-4F71-BAE0-C801AD13AA01@co-operating.systems> <2F3BD1CB-042D-48AB-8046-BB8506B8E035@mnot.net> <CABcZeBNpjbNdeqxP_cwCDygk6_MVDoNhqcMEDmEvEBxztmonLg@mail.gmail.com> <20150918205734.GA23316@LK-Perkele-VII> <70D2F8CE-D1A2-440F-ADFC-24D0CE0EDCF1@greenbytes.de> <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com> <CY1PR03MB1374F1CA73EFDA80C7CE44E887580@CY1PR03MB1374.namprd03.prod.outlook.com> <9BD53F44-94BA-4931-891A-BD94B5F440D0@gmail.com> <CY1PR03MB1374BE698FEB732EBB9BD96087460@CY1PR03MB1374.namprd03.prod.outlook.com> <68879535-44AB-4E68-BA42-827BA334D9A8@gmail.com> <CAJU8_nX3kOxTavtz6s8EV_M0wfvgQorDsVDRszqqebVEHh++kw@mail.gmail.com> <C6DB2FC1-AA9B-43B9-BF28-AFB6B2957F9E@gmail.com> <6B89D91E-8E76-46E0-A2B5-1E764DDC5AD0@greenbytes.de> <CAJU8_nX5jY6X0Nnd5Vke0wpYS3UCsmyzqvD6xoQ4u_L7Wfr3SQ@mail.gmail.com> <4456BAAA-125B-4038-AAC7-77A20F0C75B1@co-operating.systems> <CAJU8_nV4=iPowBOysL9Wz5Wyrm4OiKs0J4s6E3fmCQmv9=MyHw@mail.gmail.com> <C874EAAC-FF26-42C6-BB6C-5785A6508664@bblfish.net>
In-Reply-To: <C874EAAC-FF26-42C6-BB6C-5785A6508664@bblfish.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2001:4898:80e8::19]
x-microsoft-exchange-diagnostics: 1; CY1PR03MB1374; 5:kMmVGAHL41uqBnT2f2Wa4xdgBpfVLeAyX1YxWedUKwXwYUJj2Pzf2twfG7/cdc4KFbXjPT8ysvIivT0ZgKuu5flZT6uwLeMDqvqWJT98SHHiVNHLr/1opUG+WUGBGMNi5K7TW4ZlqEl1PH90h+vp6w==; 24:zVG+Qgbudiox/TQvM0pwSLyBGSFe5RJ4MYKTAMfw5yfY/OzdwlG/BxDBJalYKaB5x7fXqMDIFzuWBB+qHkNWyHpLEtq+HFXXrREnKccGiCk=; 20:tpWtnmDvYs5eBWZs3rQU/whIxurz0JqDl2aY/JEw1C+rPIziUddeRhWHgFUXeei3PG0Ikx/5j3DxTFew0XnHPw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR03MB1374;
x-exchange-antispam-report-cfa: BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1374; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB1374;
x-forefront-prvs: 07063A0A30
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(377454003)(13464003)(199003)(55674003)(189002)(15975445007)(76576001)(77096005)(5002640100001)(8990500004)(74316001)(102836002)(68736005)(2950100001)(86612001)(64706001)(2900100001)(92566002)(93886004)(77156002)(5003600100002)(5004730100002)(5001770100001)(5001830100001)(5001860100001)(11100500001)(107886002)(97736004)(62966003)(81156007)(189998001)(5005710100001)(2501003)(4001540100001)(46102003)(10090500001)(10400500002)(10290500002)(19580405001)(99286002)(76176999)(105586002)(87936001)(19580395003)(54356999)(50986999)(40100003)(106356001)(106116001)(15395725005)(86362001)(101416001)(122556002)(33656002)(3826002)(336755003)(18886065003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR03MB1374; H:CY1PR03MB1374.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2015 18:23:40.3603 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB1374
Received-SPF: pass client-ip=157.56.111.114; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bn1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.407, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: maggie.w3.org 1Ze5l2-00070P-FN b58ecf3d33b4c124d88dc6113149fcb7
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Client Certificates - re-opening discussion
Archived-At: <http://www.w3.org/mid/CY1PR03MB137427E0C66A2297C844DDBF87460@CY1PR03MB1374.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30254
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I have no issue with defining something at the application layer that becomes a viable alternative to move toward.  In the meantime, though, we want a way for applications built on the old/current model to use HTTP/2.

For your forward-facing model, there will need to be something more than just posting the cert -- there has to be a proof that the private key is owned.  But the general model of doing it at the app level is a direction to explore.

-----Original Message-----
From: henry.story@bblfish.net [mailto:henry.story@bblfish.net] 
Sent: Monday, September 21, 2015 11:06 AM
To: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: Client Certificates - re-opening discussion


> On 21 Sep 2015, at 17:58, Kyle Rose <krose@krose.org> wrote:
> 
>> It is true that authentication at the TLS layer is much rougher, as I 
>> think the client can only authenticate with 1 certificate not more, 
>> per connection.
> 
> Right, and the inability to support this leads to a bunch of 
> kludgey-feeling solutions, like 421s. This situation was always 
> possible with HTTP/1.1, but is a lot more likely with H2.

So there is another question: are the two incompatible? 

It may also be worth having the old solution for a transition period, until new answers come up. Then as they prove themselves, which should be easy as they will be a lot more flexible ( but also therefore in danger of more misimplementations ), the older TLS certificate system can go away.

> Pushing the authentication into the application layer seems like it 
> could be cleaner. Provide browser support for setting a 
> CertificateVerify header (e.g., based on a signature of the channel 
> binding), something that can be cached by the client and server and 
> reused on all relevant streams over the same connection.

The idea would be for example that a 401 with a 

 WWW-Authenticate: Certificate, upload="/certs" 

The client could then POST the (x509?) certificate to that location, and receive a Location: header containing a URL that it could re-use on future connections, and which it could use for authentication with something like draft-cavage-http-signatures [1]

The nice thing, is that this would allow one to also use URLs of certificates  on remote servers, to avoid the whole process of certificate uploads. ( but the problem of people not having a server would be solved by the POST described above )

Also this provides an easy way to disable certificates by removing them from that URL.

You could then further do content negotiation on that URL and allow many different formats to be returned, enabling a move to JSON certificate formats a la JOSE or based on JSON-LD.

> Signalling
> for "you need to authenticate" and sending the client certificate to 
> the server would then be entirely at the application layer, possibly 
> with the support of HTTP status codes, and TLS client certificate 
> authentication wouldn't be used in this case.
> 
> This sort of application layer approach may also make a better client 
> UX more natural, by moving the logic for prompting the user for a 
> certificate into the web app UI.

Would that require the client to also be able to independently get access to the channel binding? 

Wether the WebAPP UI can do this will depend on wether the WebApp can intercept the 401's sent by the server. This is the type of thing that could be done by ServiceWorkers [2] I am told, but figuring that out from the spec is not really easy. I am going to send a message to the WebApps group to verify that this is possible across origins.

Still even if WebApps were able to do this authentication across origins, it would still be very useful for the browsers themselves to be able to authenticate to a remote origin without going through these WebApps, so that one could test out resources outside of an App. Ie. I think there will always be a need for browsers to provide cross origin authentication mechanisms. WebApps will be more flexible to innovate, but the successful ones should be rolled into the browser.


Henry

[1] https://tools.ietf.org/html/draft-cavage-http-signatures-04

[2] Which just started gone into Candidate Recommendation and feedback is 
saught
https://slightlyoff.github.io/ServiceWorker/spec/service_worker_1/

> 
> Kyle
> 

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email