Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
Eric Rescorla <ekr@rtfm.com> Tue, 31 March 2020 00:57 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCA923A16D0 for <secdispatch@ietfa.amsl.com>; Mon, 30 Mar 2020 17:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3Se9PH7wUJY for <secdispatch@ietfa.amsl.com>; Mon, 30 Mar 2020 17:57:48 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76153A15AF for <secdispatch@ietf.org>; Mon, 30 Mar 2020 17:57:47 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id k21so20221314ljh.2 for <secdispatch@ietf.org>; Mon, 30 Mar 2020 17:57:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MkqfjbUqyoK1P6Qf5pxGxlxDSdLiSQqLAjU6fkxL8CI=; b=REEUHpcw4fMS545KetPYlw7P1qxzyiXxwAZ1FMiJKtGHyKojgB+GDrwJuOHc0vG+mS 8VF9z5u9KRWuzRAvjUkHv3MKq/HuQkH8iApmlNSDlRa4kkaQvXAbZU8u/dN4MW2scUTz CecjbnACYcnP0l3KbwzBYlfVS0TXKvAznvFc0A6CU4y8pbedIymPJ74Sm+h3lb0PkXXu /iEbBNEXiaLe4br5GuErHWtfHIp0xBBE4bW9Hu4u/DYrOBM7xMaOE7EmU8qUe5IPyp6f ISg9/RA8WblXCKUdRWux3Rib1z3pL5VK7uJLIrOe/G86L8qGrKHDSls8bj3cPrmCW71V w0jQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MkqfjbUqyoK1P6Qf5pxGxlxDSdLiSQqLAjU6fkxL8CI=; b=Se4S/eHBiAvRomRYzD3jRDJRC2cRlQLuucFhcC12lTeb25MvgDtLLgb4v0fc0vXqll yWA+64a5J0b6dHxt8Q9fQgpc4tFaePytXBUX5UbUHoGTdHQO36Mag0mYKKmGMCaftRgs Xk7PFTuHsBQglKOZnkdI0bS7j09TAn5TCW0q63RODyQlI6wP7CH6IUVqjFjbf+Mf3TDY aGhXXR3wm2KMVEQ6jvIsbl5XbROWYVukNYCWyga99GfACgVyU+2MlZNkay4py9s+vw/q Wx2rtxrvTvM4gZhq8AjuzQVNY+ubC+XEqNsW/2fMc4E2WTaNE2LyTaaYgTL3F3iB++0X 3xuQ==
X-Gm-Message-State: AGi0PuaNEEjq84KeWr3K0BgS9B9eAOWTvrQJj6/cFdtalc2Vd0DPuwle NTgi6MyQqGqKvsG2aUxXk8jcm79dgUpCH6EsyVAr0w==
X-Google-Smtp-Source: APiQypJDlvgh/vtGO9rqYjPoQEkwPxasZ7os64cSlypvbU901xNC7BGGN8P6UYh5rA3SwWyFOk/6wxesMOOOCijKP4E=
X-Received: by 2002:a2e:780a:: with SMTP id t10mr8951856ljc.83.1585616265760; Mon, 30 Mar 2020 17:57:45 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCTPisEFnxecjzpNAssSbTuUbUxQ+Hm+m+sjq__2Cpy9pg@mail.gmail.com> <CABcZeBPJO4j0KZk=zjopN2oEWLN-NrYRtKO=GuQ2e5CzH7=iPA@mail.gmail.com> <CA+k3eCQ9hd6rOkxLjS3hACMT3=eC+ojq3DS_XgkcRHRrJc7xdA@mail.gmail.com> <CABcZeBNroHGFdRXJE1X3PxF__SNeH_X3FAjJDVRgCTwGaORDLg@mail.gmail.com> <CA+k3eCS6Ua-JOOw=kRST2aZo_0BXuYw21p+nYK1D7xrdDZVDXA@mail.gmail.com>
In-Reply-To: <CA+k3eCS6Ua-JOOw=kRST2aZo_0BXuYw21p+nYK1D7xrdDZVDXA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 30 Mar 2020 17:57:09 -0700
Message-ID: <CABcZeBNF62Hg_iRzyNP2CrKLf0chKp81fhRyw3m+a6DhDL9thQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: secdispatch-chairs@ietf.org, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004574df05a21c0e3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/jWKPvYYN4DRJDr0Fm6qZPhQpZT8>
Subject: Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 00:57:51 -0000
On Mon, Mar 30, 2020 at 2:03 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > I didn't expect it to be any more persuasive. I was only hoping it'd be > sufficient to avoid relitigating the whole thing. > For obvious reasons, I'm not that excited about that. Especially because, short of spinning up a significant bit of new work, I > don't see how the outcome will be any different. I'm not looking for just > for a code point registration for something that's de facto. I'm > endeavoring to bring some level of commonality to a situation that happens > in practice now so as to hopefully improve interoperability. > Again, I'm fine to see an informational document with a code point registration, but the import of a Proposed Standard is that the IETF thinks this is a good idea, and ISTM that the design you have proposed is not in fact have security properties we would otherwise want. In working on the document I did try to educate myself somewhat on things > that would be less than straightforward. When doing that I came across the > recently published RFC 8740, which "updates RFC 7540 [HTTP/2] by forbidding > TLS 1.3 post-handshake authentication." > Ah, good. So this just applies to HTTP 1.1. -Ekr > > On Mon, Mar 30, 2020 at 12:13 PM Eric Rescorla <ekr@rtfm.com> wrote: > >> >> >> On Mon, Mar 30, 2020 at 10:38 AM Brian Campbell < >> bcampbell@pingidentity.com> wrote: >> >>> >>> Thanks for the review and feedback, Eric. My attempts at >>> answers/responses are inline below. >>> >>> On Fri, Mar 27, 2020 at 11:22 AM Eric Rescorla <ekr@rtfm.com> wrote: >>> >>>> >>>> Overall, I agree that something like this is needed. However, >>>> I have two concerns about the mechanism described here. >>>> >>>> First, as you note in S B.1., if the header is not properly >>>> sanitized, there is a trivial attack and there are stronger >>>> mechanism that do not require sanitization: >>>> >>>> "Client-Cert" header that would appear to the backend to have come >>>> from the reverse proxy. Although numerous other methods of >>>> detecting/preventing header injection are possible; such as the use >>>> of a unique secret value as part of the header name or value or the >>>> application of a signature, HMAC, or AEAD, there is no common general >>>> standardized mechanism. The potential problem of client header >>>> injection is not at all unique to the functionality of this draft and >>>> it would therefor be inappropriate for this draft to define a one-off >>>> solution. In the absence of a generic standardized solution existing >>>> currently, stripping/sanitizing the headers is the de facto means of >>>> protecting against header injection in practice today. Sanitizing >>>> >>>> This seems like an odd argument to make: if a strong mechanism is >>>> in order, we should design one and make it generic, not just throw >>>> and continue to use weaker mechanisms. >>>> >>> >>> Ironically, that text was written (at least in part) in an attempt to >>> head off having this very argument with you. We (you and I specifically) >>> have been down this road before discussing essentially the same issue with >>> respect to (the now defunct for unrelated reasons) >>> https://datatracker.ietf.org/doc/draft-ietf-tokbind-ttrp/ and there >>> sure didn't seem to be be sufficient appetite to work on a generic >>> solution. >>> >> >> Well, I don't know why you think that I would have found it more >> persuasive this time around. >> >> >> Maybe that's changed and there is more of an appetite now? Maybe. There >>> was some talk at the secdispatch session of the prospect of spinning up or >>> splitting off a WG to work on reverse proxy stuff. But a lot more than talk >>> is needed and I maintain that, in the absence of something generic being >>> defined and widely available, the de facto is sufficiently good and >>> appropriate for a document/draft like this. >>> >> >> Well, if what you want is a code point registration for something that's >> de facto, then sure, but if you want to have an IETF PS, then the solution >> should reflect what we ordinarily consider to be best practice. >> >> >> >>> >>>> >>>> Second, I think it's quite unwise to only pass the EE cert. This >>>> means that the server will be unable to independently evaluate >>>> the cert chain, which (1) is unduly restrictive on the architecture >>>> because it forces the proxy to do it and (2) means that there >>>> is no backstop in the case where the proxy makes errors or >>>> has a not-very-good validator. You should pass the whole chain. >>>> >>> >>> Passing the end-entity cert vs. including intermediates or the whole >>> chain is something that's up for discussion should this document find a >>> home where it can be worked on and progressed. As with most things, there >>> are tradeoffs involved. >>> >>> What you describe as unduly restrictive, however, could also be viewed >>> as properly constraining different components to doing the most appropriate >>> functionality. The backend server doing the validation would mean it has to >>> evaluate the cert chain on every request (which is likely prohibitively >>> expensive with multiple public key opperations) and/or have some >>> complicated caching. And allowing either piece to do the validation could >>> also increase the likelihood that things are set up such that neither >>> actually does it. >>> >> >> ISTM that we have quite a bit of experience with MITM proxies (a slightly >> different setting) and the quality of checking varies wildly, so I would >> prefer to leave the origin server with the ability to do this work. >> >> >> >>> >>> >>>> This also implies that you should have a way to pass extensions >>>> such as SCTs and stapled OCSP responses. >>>> >>> >>> I was under the (maybe naive) impression that such things were largely >>> or even exclusively for the server side and not applicable or defined for >>> the client side? >>> >> >> That's the situation now, but it might not be in the future. >> >> >>> >>> >>>> >>>> Finally, two points about TLS integration. >>>> >>>> 1. You should define how this works in the case of resumption >>>> of a connection that had client auth. Should the proxy attach the >>>> chain from the original connection? >>>> >>> >>> Is such a resumed connection still considered to be client >>> authenticated? I thought so and thus my assumption/expectation was that yes >>> the proxy would attach the chain from the original connection. Is that >>> problematic for some reason? Or are you just saying that it needs to be >>> stated explicitly in the document? >>> >> >> I'm saying that it needs to be in the document. >> >> >>> >>>> >>>> 2. How do you handle post-handshake client authentication? Specifically: >>>> (a) How do you handle the situation in which part of the HTTP >>>> request is covered by the client cert? >>>> >>>> (b) Post-handshake client authentication allows for the client >>>> to authenticate with multiple certificates one after the other. >>>> How is this propagated to the server? >>>> >>> >>> I'd been thinking that post-handshake authentication and renegotiation >>> were forbidden so these questions were out of scope. But I guess that only >>> applies to HTTP/2? >>> >> >> I'm not aware of any restriction on post-handshake auth for H2 (H2 was >> designed before TLS 1.3). >> >> -Ekr >> >> >>> So, off-the-cuff I'd say that for (a) the header is only passed on >>> requests that are covered in full by the cert. But that pragmatically it's >>> super difficult or impossible with the APIs in the average environment to >>> figure out what application data came before or after the cert auth and so >>> it'll end up being however a particular proxy implementation treats this >>> situation currently but just with a standard header. For (b) I'd say only >>> propagate the most recent one. >>> >>> Having given my half-assed answers though, I'd welcome input if you >>> think there are better answers. >>> >>> >>> >>> >>>> >>>> On Mon, Mar 2, 2020 at 1:51 PM Brian Campbell <bcampbell= >>>> 40pingidentity.com@dmarc.ietf.org> wrote: >>>> >>>>> Hello SecDispatchers and Chairs thereof, >>>>> >>>>> I'd like to request some time on the agenda in Vancouver to present on >>>>> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/ >>>>> in an effort to gauge interest and potentially find an appropriate venue >>>>> for the work to proceed (or just put it and its ridiculously long title out >>>>> of its misery). >>>>> >>>>> Client-Cert HTTP Header: Conveying Client Certificate Information from >>>>> TLS Terminating Reverse Proxies to Origin Server Applications >>>>> >>>>> Abstract >>>>> >>>>> This document defines the HTTP header field "Client-Cert" that >>>>> allows >>>>> a TLS terminating reverse proxy to convey information about the >>>>> client certificate of a mutually-authenticated TLS connection to an >>>>> origin server in a common and predictable manner. >>>>> >>>>> Discussion around the value of having something like this defined >>>>> happened in the OAuth WG a bit before the Singapore meeting (no doubt >>>>> that's not the only time but it's the one in which I was involved recently) >>>>> and an AD nudged me to secdispatch - >>>>> https://mailarchive.ietf.org/arch/msg/oauth/jQ5MAZ1XCvxWbHwqlT3ITEEQoKo/ >>>>> falls somewhere in the middle of that long and sometimes contentious >>>>> thread. I was unable to get a draft published prior to the I-D submission >>>>> cut-off for Singapore and got a short "if time allows" presentation slot at >>>>> the meeting. The judgment coming out of that meeting was "needs draft". >>>>> >>>>> I did get an actual draft published a bit after Singapore (the one >>>>> with the ridiculously long title previously mentioned) and there's been >>>>> some, if not exactly an overwhelming amount of, discussion and support of >>>>> it on this very list: >>>>> https://mailarchive.ietf.org/arch/search/?q=%22draft-bdc-something-something-certificate%22 >>>>> >>>>> Thanks. >>>>> Brian Campbell >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>>> privileged material for the sole use of the intended recipient(s). Any >>>>> review, use, distribution or disclosure by others is strictly prohibited.. >>>>> If you have received this communication in error, please notify the sender >>>>> immediately by e-mail and delete the message and any file attachments from >>>>> your computer. Thank you.* >>>>> _______________________________________________ >>>>> Secdispatch mailing list >>>>> Secdispatch@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/secdispatch >>>>> >>>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [Secdispatch] Request for secdispatch time slot i… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Michael Richardson
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Benjamin Kaduk
- Re: [Secdispatch] Request for secdispatch time sl… Mohit Sethi M
- Re: [Secdispatch] Request for secdispatch time sl… Michael Richardson
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Salz, Rich
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Salz, Rich
- Re: [Secdispatch] Request for secdispatch time sl… Michael Richardson
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Salz, Rich
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla