Re: [Secdispatch] [saag] SECDISPATCH WG Summary from IETF 106

Michael Richardson <> Mon, 20 January 2020 17:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 730BA1209E2 for <>; Mon, 20 Jan 2020 09:18:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 83Sl4CP7Jy53 for <>; Mon, 20 Jan 2020 09:18:32 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A91E61209DB for <>; Mon, 20 Jan 2020 09:18:32 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id 5EA993897E; Mon, 20 Jan 2020 12:18:00 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 236A05F5; Mon, 20 Jan 2020 12:18:31 -0500 (EST)
From: Michael Richardson <>
To: Brian Campbell <>
cc: "secdispatch\" <>
In-Reply-To: <>
References: <> <> <22451.1579452735@localhost> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Mon, 20 Jan 2020 12:18:31 -0500
Message-ID: <4920.1579540711@localhost>
Archived-At: <>
Subject: Re: [Secdispatch] [saag] SECDISPATCH WG Summary from IETF 106
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Jan 2020 17:18:39 -0000

    bc> Via email exchange it's not entirely clear whether that's a compliment or a
    bc> criticism or just an observation.


    bc> It was meant as a nod to the header name chosen in the example on slide 4
    bc> of


    >> draft-ietf-anima-bootstraping-keyinfra (aka BRSKI) makes use of TLS Client
    >> Certificates in the Registrar.
    >> I have a document on operational considerations for Registrars,
    >> draft-richardson-anima-registrar-considerations
    >> and I've added your document as reference.
    >> In section 1, you may wish to reference:
    >> although I can't find a section in
    >> that describes the Client Certificate variable.  I use "SSL_CLIENT_CERT"
    >> and more recently, "rack.peer_cert" in my code.

    bc> AFAIK, those are de facto names originating out of defaults or
    bc> documentation from reverse proxy implementations that allow for similar
    bc> behaviour with respect to the client cert. Apache mod_ssl and Ruby thin
    bc> respectively I think.

    bc> For better or worse, I tried to choose a name that's meaningful and
    bc> shortish. And one that doesn't look like it came from the default
    bc> documentation of some popular web server.

My point is to
  a) point to de-facto names which are currently being used to demonstrate
     the need for a standard.
  b) indicate if the contents are the same or different.

    mcr> ** I would like to have access to the entire client certificate *chain* **
    >> Not just the End-Entity certificate.
    >> If any internal trust anchors were used to validate the chain, I also would
    >> prefer to receive them as well.
    >> Finally, I need to be able to configure the reverse proxy to do the TLS
    >> operation on the assumption that the certificate validates, even if the
    >> reverse proxy does not know how to validate the certificate chain itself.
    >> I need, therefore, to know if the certificate chain was validated, or not.

    bc> In writing up this initial draft, I waffled about whether or not to include
    bc> intermediate signers and/or the whole chain. Although I landed on only
    bc> passing the leaf certificate, this is certainly something that's up for
    bc> discussion should this document find a home where it can be worked on and
    bc> progressed.

good, we agree.
Isn't httpbis the obvious WG here?

It could be that we should have two headers.
One for the EE, and one (or many?) for the chain.

    >> You write:
    >> Forward proxies and other intermediaries MUST NOT add the Client-Cert
    >> header to requests.
    >> but, the reverse proxy can not control what is sent to it, and you
    >> shouldn't
    >> try to write normative language there.

    bc> True, the reverse proxy can not control what is sent to it. But it's meant
    bc> to be normative language towards other forward proxies and other
    bc> intermediaries to say that they can't/shouldn't be adding this thing. Which
    bc> seems legit (and something I'm told is supposed to be covered for registry
    bc> requests on header fields). Perhaps that text can be moved or adjusted in a
    bc> way that makes the distinction more clear.

Sure. I'm saying no normative language about another entity.
The normative language should say that reverse proxies MUST remove the header
when coming in.

    >> You already handle this:
    >> 2) Any occurrence of the Client-Cert header in the original incoming
    >> request MUST be removed or overwritten before forwarding the request.
    >> and leave it like that, maybe emphasis this.
    >> Maybe reverse proxies SHOULD reject requests that have a Client-Cert header
    >> in them, period?

    bc> That's certainly an option. I suppose there are tradeoffs between rejecting
    bc> vs. cleaning such requests. Maybe a MAY would be appropriate for something
    bc> like that so as to give the proxy the option. Again, that's something that
    bc> could be fleshed out in discussions if this thing finds a home.

It seems like a request that arrives with Client-Cert in it is at best
misconfiguration, and at worse an attack.  It can't be legitimate.
I think that being tolerant here does not benefit anyone.

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-