IETF Logo Mail Archive

Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header

Brian Campbell <bcampbell@pingidentity.com> Mon, 30 March 2020 18:05 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47BE53A0A20 for <secdispatch@ietfa.amsl.com>; Mon, 30 Mar 2020 11:05:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DiXDQfZa1WXG for <secdispatch@ietfa.amsl.com>; Mon, 30 Mar 2020 11:05:09 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02FD3A0FFD for <secdispatch@ietf.org>; Mon, 30 Mar 2020 11:03:52 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id 19so19090632ljj.7 for <secdispatch@ietf.org>; Mon, 30 Mar 2020 11:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sdB5KN1KHWUobMc7Xq+PGaDPz0VyECgeFTp+kt3p3XQ=; b=AcHdCUEquxkrBTrw0wFdOglei7T+Z+8vTctiAyR+4VbvrZ05ZVTtmhrlWSlx062rz+ kCj4dJOpRxZa+UDCYYV0Z/e5fyjOSnE9p/uPn4qPwK8Wa+it0VF9hT9RcPTZEbdI7RCW 4TjVC8lUxOD8/DI94AOesw3/NYp6lVGadA9ksFavN6SkYO2h1Jmic5tSVmZ3tMPU3ZM+ 9MF4am7BKfmwlEN+6tTC30R370DM4kpu8BjRAFfgK9DhtltX3xsYduq4XNQcniKJY3Fx Pj2X2R9nJqWci70SwrCTndLgXU3+AOgTFOz8czwOk7d9Ihi13h8DgArWT0u0YQZHbHAl OzHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sdB5KN1KHWUobMc7Xq+PGaDPz0VyECgeFTp+kt3p3XQ=; b=Z9T2L4TwIKb1d/3zYpA4b1XzZzoGBy3THhcM8kH3w/1uY+oOFXRsxP/nWdEfPefHpG DHekz/EieGCcXuwzmjilV98mQLullBB80NZlQQfgtPUurK4sJYeGg7ivUD9H15byqkGS DUYc35nVWZDRrmoJNGZC6iN1Er+nJwcBsBiPa713RTER4SKc6wJDSyxP0F0FvjhQ6Rf4 zbrCe3/DrTUGgmettm3gZYNHwAXwYlGC5+fE7tUqrjO9gVJJylubEgNMAXpvtY7gd9NA 3yAeyzXiKc3//GBuivbyJS5DQFdKfE+HW8Qi0vd4H5CGL/6Wxdu5Y4LfmbGRd+Da2kdM +W/A==
X-Gm-Message-State: AGi0PuYg+NN9KaZ8nZddb7v/AQupTO9txYBSqCTxRirceKNQPNc1ETW6 B6wbPcoHoPdMkXCEhiblXu8Q0dhAURT8NGc8Ley91XOtXuPmPr+xmrNXqfvKS1lzj/WdJ9RFcB6 oMioeGbIqsn16X43YapoHpQ==
X-Google-Smtp-Source: APiQypJCMakfFV2S09KklW2pVvBXr1dDH43o2ovEscq5qpoFadSIaYIRgCBpf09t5HWHP/tAUFPWb5DNAnHqKdcRyKo=
X-Received: by 2002:a2e:97cd:: with SMTP id m13mr8056487ljj.20.1585591430989; Mon, 30 Mar 2020 11:03:50 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCTPisEFnxecjzpNAssSbTuUbUxQ+Hm+m+sjq__2Cpy9pg@mail.gmail.com> <CABcZeBPJO4j0KZk=zjopN2oEWLN-NrYRtKO=GuQ2e5CzH7=iPA@mail.gmail.com> <a93a634a-22db-682a-77bb-d6e8199c8372@ericsson.com>
In-Reply-To: <a93a634a-22db-682a-77bb-d6e8199c8372@ericsson.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 30 Mar 2020 12:03:24 -0600
Message-ID: <CA+k3eCQXW0gfjOu9zn7wE7cxkccTFxSji9n99F6UbFWbcdV=Zw@mail.gmail.com>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>, "secdispatch-chairs@ietf.org" <secdispatch-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000000edff05a2164663"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/XmeD6unwrPgUfCsmT42MIH0N63Q>
Subject: Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 18:05:13 -0000

As I just tried to articulate to EKR in the last mail, passing the
end-entity cert vs. including intermediates or the whole chain, or
something else is a topic that's up for discussion should this document
find a home where it can be worked on and progressed. But as it true with
most things, there are tradeoffs involved. And as explained in the draft,
my first best attempt at finding the right place in the tradeoffs was to go
with the end-entity cert and not more or less.

On Fri, Mar 27, 2020 at 4:17 PM Mohit Sethi M <mohit.m.sethi=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi Brian,
>
> On further thought, I actually agree that passing the entire chain makes
> more sense. This would be useful if the TLS proxy doesn't have the trust
> anchor (but the backend server has it).
>
> --Mohit
> On 3/27/20 7:21 PM, Eric Rescorla wrote:
>
>
> Overall, I agree that something like this is needed. However,
> I have two concerns about the mechanism described here.
>
> First, as you note in S B.1., if the header is not properly
> sanitized, there is a trivial attack and there are stronger
> mechanism that do not require sanitization:
>
>    "Client-Cert" header that would appear to the backend to have come
>    from the reverse proxy.  Although numerous other methods of
>    detecting/preventing header injection are possible; such as the use
>    of a unique secret value as part of the header name or value or the
>    application of a signature, HMAC, or AEAD, there is no common general
>    standardized mechanism.  The potential problem of client header
>    injection is not at all unique to the functionality of this draft and
>    it would therefor be inappropriate for this draft to define a one-off
>    solution.  In the absence of a generic standardized solution existing
>    currently, stripping/sanitizing the headers is the de facto means of
>    protecting against header injection in practice today.  Sanitizing
>
> This seems like an odd argument to make: if a strong mechanism is
> in order, we should design one and make it generic, not just throw
> and continue to use weaker mechanisms.
>
>
> Second, I think it's quite unwise to only pass the EE cert. This
> means that the server will be unable to independently evaluate
> the cert chain, which (1) is unduly restrictive on the architecture
> because it forces the proxy to do it and (2) means that there
> is no backstop in the case where the proxy makes errors or
> has a not-very-good validator. You should pass the whole chain.
> This also implies that you should have a way to pass extensions
> such as SCTs and stapled OCSP responses.
>
>
> Finally, two points about TLS integration.
>
> 1. You should define how this works in the case of resumption
> of a connection that had client auth. Should the proxy attach the
> chain from the original connection?
>
>
> 2. How do you handle post-handshake client authentication? Specifically:
> (a) How do you handle the situation in which part of the HTTP
> request is covered by the client cert?
>
> (b) Post-handshake client authentication allows for the client
> to authenticate with multiple certificates one after the other.
> How is this propagated to the server?
>
> On Mon, Mar 2, 2020 at 1:51 PM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> Hello SecDispatchers and Chairs thereof,
>>
>> I'd like to request some time on the agenda in Vancouver to present on
>> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/
>> in an effort to gauge interest and potentially find an appropriate venue
>> for the work to proceed (or just put it and its ridiculously long title out
>> of its misery).
>>
>> Client-Cert HTTP Header: Conveying Client Certificate Information from
>>      TLS Terminating Reverse Proxies to Origin Server Applications
>>
>> Abstract
>>
>>    This document defines the HTTP header field "Client-Cert" that allows
>>    a TLS terminating reverse proxy to convey information about the
>>    client certificate of a mutually-authenticated TLS connection to an
>>    origin server in a common and predictable manner.
>>
>> Discussion around the value of having something like this defined
>> happened in the OAuth WG a bit before the Singapore meeting (no doubt
>> that's not the only time but it's the one in which I was involved recently)
>> and an AD nudged me to secdispatch -
>> https://mailarchive.ietf.org/arch/msg/oauth/jQ5MAZ1XCvxWbHwqlT3ITEEQoKo/
>> falls somewhere in the middle of that long and sometimes contentious
>> thread. I was unable to get a draft published prior to the I-D submission
>> cut-off for Singapore and got a short "if time allows" presentation slot at
>> the meeting. The judgment coming out of that meeting was "needs draft".
>>
>> I did get an actual draft published a bit after Singapore (the one with
>> the ridiculously long title previously mentioned) and there's been some, if
>> not exactly an overwhelming amount of, discussion and support of it on this
>> very list:
>> https://mailarchive.ietf.org/arch/search/?q=%22draft-bdc-something-something-certificate%22
>>
>> Thanks.
>> Brian Campbell
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited..
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*_______________________________________________
>> Secdispatch mailing list
>> Secdispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdispatch
>>
>
> _______________________________________________
> Secdispatch mailing listSecdispatch@ietf.orghttps://www.ietf.org/mailman/listinfo/secdispatch
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email