IETF Logo Mail Archive

Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header

Brian Campbell <bcampbell@pingidentity.com> Mon, 30 March 2020 21:03 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B488F3A0766 for <secdispatch@ietfa.amsl.com>; Mon, 30 Mar 2020 14:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0TEk7QU4KQV for <secdispatch@ietfa.amsl.com>; Mon, 30 Mar 2020 14:03:51 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA03E3A0897 for <secdispatch@ietf.org>; Mon, 30 Mar 2020 14:03:27 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id p10so19465862ljn.1 for <secdispatch@ietf.org>; Mon, 30 Mar 2020 14:03:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EMiXTm86ckd4/1kEt/YvuoPPfP8llHvaFoGHqkD71tg=; b=MP+ZMRIMVc+jVDonIObKduQyflU1iCCBehYpWO7T/AMAktkZIo7Y+yQuKQVNyYsdr3 z3mX1A5XgQuZ47LpqCNM9d4dyXvilPWKsBd3KstQJOSmmgSWMMw9yzIZhpf30keu6md1 9HI0HTG8DFlId8PmUtESWmdQYqUFc6+Qd12NgHGHnNDwCme+vE7yiMI5uaKjJQzipjYU U9ILP4e26RI2bQa0TVn5dAmaZVU4o/5tSmV3xCGse/dzcGqaMT69++RSQLMmQIr1KDZa H1yw2hn2jegZFQgMvmAuM6eWJWJotHkbyDZcGWackQVejvdx7Ao/PLs+dDF+UfBVnRRK F0Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EMiXTm86ckd4/1kEt/YvuoPPfP8llHvaFoGHqkD71tg=; b=hO8QDmwBNzK/olGKbYi5veq/OE+6hFLITLJ0vZ2fvrUfBDTpLP903JqTurdHCU/voy j0B8cEkJqpWRZi0qZMOfRermpHQbezo4BTWDr5hgGvKJ8EqB5TOcrdXZwNRQuO5Geszv oaZzr8dQw/lXm70cIHFL2HM5g3HUf+EmU+wKPJsXNurgvgtS618nh3ZZHLNJiTe56MNE GLf3L/Ji3FvD87mdj4w2WaoyabC5gCs7+u5dDLRtcFqLvB+GA652zLqfIGbXTqutDLQ8 6SAlDWBQVMq92AXejH/8w7JbaPk4c0+hWLGSwz+sb6MFu6nOP+pQd+eJeF8PicRswyig uEQw==
X-Gm-Message-State: AGi0Pua9fVbEUBIiyzRVh97AmQTAaDcAarc3wJ1rw8IIhnNkax+tDgkY Qd6RNCv/CiMVlqVUAIvP1ekd3QFjTO5QwrafRCnAEvA1V3AyuufBoOmcibjcZB2EfPWvYzySOIP +mx4O0KNbdlOrjNPk029Z3w==
X-Google-Smtp-Source: APiQypLJ2FgwBoBQJynH82isF2eDWpWLLM4xtlE5lTPr8j+9aHD43kl6AD7Tnw4x/QThIqNUK8yb6s+mHZg5JxKh5bY=
X-Received: by 2002:a2e:97cd:: with SMTP id m13mr8435962ljj.20.1585602205609; Mon, 30 Mar 2020 14:03:25 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCTPisEFnxecjzpNAssSbTuUbUxQ+Hm+m+sjq__2Cpy9pg@mail.gmail.com> <CABcZeBPJO4j0KZk=zjopN2oEWLN-NrYRtKO=GuQ2e5CzH7=iPA@mail.gmail.com> <CA+k3eCQ9hd6rOkxLjS3hACMT3=eC+ojq3DS_XgkcRHRrJc7xdA@mail.gmail.com> <CABcZeBNroHGFdRXJE1X3PxF__SNeH_X3FAjJDVRgCTwGaORDLg@mail.gmail.com>
In-Reply-To: <CABcZeBNroHGFdRXJE1X3PxF__SNeH_X3FAjJDVRgCTwGaORDLg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 30 Mar 2020 15:02:58 -0600
Message-ID: <CA+k3eCS6Ua-JOOw=kRST2aZo_0BXuYw21p+nYK1D7xrdDZVDXA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: secdispatch-chairs@ietf.org, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038884405a218c8a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/vZoVgqbIZg-O95WRHN403yzL_X0>
Subject: Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 21:03:56 -0000

I didn't expect it to be any more persuasive. I was only hoping it'd be
sufficient to avoid relitigating the whole thing. Especially because, short
of spinning up a significant bit of new work, I don't see how the outcome
will be any different. I'm not looking for just for a code point
registration for something that's de facto. I'm endeavoring to bring some
level of commonality to a situation that happens in practice now so as to
hopefully improve interoperability.

Indeed the situation may not be quite as straightforward as I have
presented it in an early revision of an individual draft. But I'd suggest
that characterizing it as "very brittle" is a bit hyperbolic.

In working on the document I did try to educate myself somewhat on things
that would be less than straightforward. When doing that I came across the
recently published RFC 8740, which "updates RFC 7540 [HTTP/2] by forbidding
TLS 1.3 post-handshake authentication."



On Mon, Mar 30, 2020 at 12:13 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Mar 30, 2020 at 10:38 AM Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>>
>> Thanks for the review and feedback, Eric. My attempts at
>> answers/responses are inline below.
>>
>> On Fri, Mar 27, 2020 at 11:22 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>>
>>> Overall, I agree that something like this is needed. However,
>>> I have two concerns about the mechanism described here.
>>>
>>> First, as you note in S B.1., if the header is not properly
>>> sanitized, there is a trivial attack and there are stronger
>>> mechanism that do not require sanitization:
>>>
>>>    "Client-Cert" header that would appear to the backend to have come
>>>    from the reverse proxy.  Although numerous other methods of
>>>    detecting/preventing header injection are possible; such as the use
>>>    of a unique secret value as part of the header name or value or the
>>>    application of a signature, HMAC, or AEAD, there is no common general
>>>    standardized mechanism.  The potential problem of client header
>>>    injection is not at all unique to the functionality of this draft and
>>>    it would therefor be inappropriate for this draft to define a one-off
>>>    solution.  In the absence of a generic standardized solution existing
>>>    currently, stripping/sanitizing the headers is the de facto means of
>>>    protecting against header injection in practice today.  Sanitizing
>>>
>>> This seems like an odd argument to make: if a strong mechanism is
>>> in order, we should design one and make it generic, not just throw
>>> and continue to use weaker mechanisms.
>>>
>>
>> Ironically, that text was written (at least in part) in an attempt to
>> head off having this very argument with you. We (you and I specifically)
>> have been down this road before discussing essentially the same issue with
>> respect to (the now defunct for unrelated reasons)
>> https://datatracker.ietf.org/doc/draft-ietf-tokbind-ttrp/ and there sure
>> didn't seem to be be sufficient appetite to work on a generic solution.
>>
>
> Well, I don't know why you think that I would have found it more
> persuasive this time around.
>
>
> Maybe that's changed and there is more of an appetite now? Maybe. There
>> was some talk at the secdispatch session of the prospect of spinning up or
>> splitting off a WG to work on reverse proxy stuff. But a lot more than talk
>> is needed and I maintain that, in the absence of something generic being
>> defined and widely available, the de facto is sufficiently good and
>> appropriate for a document/draft like this.
>>
>
> Well, if what you want is a code point registration for something that's
> de facto, then sure, but if you want to have an IETF PS, then the solution
> should reflect what we ordinarily consider to be best practice.
>
>
>
>>
>>>
>>> Second, I think it's quite unwise to only pass the EE cert. This
>>> means that the server will be unable to independently evaluate
>>> the cert chain, which (1) is unduly restrictive on the architecture
>>> because it forces the proxy to do it and (2) means that there
>>> is no backstop in the case where the proxy makes errors or
>>> has a not-very-good validator. You should pass the whole chain.
>>>
>>
>> Passing the end-entity cert vs. including intermediates or the whole
>> chain is something that's up for discussion should this document find a
>> home where it can be worked on and progressed. As with most things, there
>> are tradeoffs involved.
>>
>> What you describe as unduly restrictive, however, could also be viewed as
>> properly constraining different components to doing the most appropriate
>> functionality. The backend server doing the validation would mean it has to
>> evaluate the cert chain on every request (which is likely prohibitively
>> expensive with multiple public key opperations) and/or have some
>> complicated caching. And allowing either piece to do the validation could
>> also increase the likelihood that things are set up such that neither
>> actually does it.
>>
>
> ISTM that we have quite a bit of experience with MITM proxies (a slightly
> different setting) and the quality of checking varies wildly, so I would
> prefer to leave the origin server with the ability to do this work.
>
>
>
>>
>>
>>> This also implies that you should have a way to pass extensions
>>> such as SCTs and stapled OCSP responses.
>>>
>>
>> I was under the (maybe naive) impression that such things were largely or
>> even exclusively for the server side and not applicable or defined for the
>> client side?
>>
>
> That's the situation now, but it might not be in the future.
>
>
>>
>>
>>>
>>> Finally, two points about TLS integration.
>>>
>>> 1. You should define how this works in the case of resumption
>>> of a connection that had client auth. Should the proxy attach the
>>> chain from the original connection?
>>>
>>
>> Is such a resumed connection still considered to be client authenticated?
>> I thought so and thus my assumption/expectation was that yes the proxy
>> would attach the chain from the original connection. Is that problematic
>> for some reason? Or are you just saying that it needs to be stated
>> explicitly in the document?
>>
>
> I'm saying that it needs to be in the document.
>
>
>>
>>>
>>> 2. How do you handle post-handshake client authentication? Specifically:
>>> (a) How do you handle the situation in which part of the HTTP
>>> request is covered by the client cert?
>>>
>>> (b) Post-handshake client authentication allows for the client
>>> to authenticate with multiple certificates one after the other.
>>> How is this propagated to the server?
>>>
>>
>> I'd been thinking that post-handshake authentication and renegotiation
>> were forbidden so these questions were out of scope. But I guess that only
>> applies to HTTP/2?
>>
>
> I'm not aware of any restriction on post-handshake auth for H2 (H2 was
> designed before TLS 1.3).
>
> -Ekr
>
>
>> So, off-the-cuff I'd say that for (a) the header is only passed on
>> requests that are covered in full by the cert. But that pragmatically it's
>> super difficult or impossible with the APIs in the average environment to
>> figure out what application data came before or after the cert auth and so
>> it'll end up being however a particular proxy implementation treats this
>> situation currently but just with a standard header. For (b) I'd say only
>> propagate the most recent one.
>>
>> Having given my half-assed answers though, I'd welcome input if you think
>> there are better answers.
>>
>>
>>
>>
>>>
>>> On Mon, Mar 2, 2020 at 1:51 PM Brian Campbell <bcampbell=
>>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>>
>>>> Hello SecDispatchers and Chairs thereof,
>>>>
>>>> I'd like to request some time on the agenda in Vancouver to present on
>>>> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/
>>>> in an effort to gauge interest and potentially find an appropriate venue
>>>> for the work to proceed (or just put it and its ridiculously long title out
>>>> of its misery).
>>>>
>>>> Client-Cert HTTP Header: Conveying Client Certificate Information from
>>>>      TLS Terminating Reverse Proxies to Origin Server Applications
>>>>
>>>> Abstract
>>>>
>>>>    This document defines the HTTP header field "Client-Cert" that allows
>>>>    a TLS terminating reverse proxy to convey information about the
>>>>    client certificate of a mutually-authenticated TLS connection to an
>>>>    origin server in a common and predictable manner.
>>>>
>>>> Discussion around the value of having something like this defined
>>>> happened in the OAuth WG a bit before the Singapore meeting (no doubt
>>>> that's not the only time but it's the one in which I was involved recently)
>>>> and an AD nudged me to secdispatch -
>>>> https://mailarchive.ietf.org/arch/msg/oauth/jQ5MAZ1XCvxWbHwqlT3ITEEQoKo/
>>>> falls somewhere in the middle of that long and sometimes contentious
>>>> thread. I was unable to get a draft published prior to the I-D submission
>>>> cut-off for Singapore and got a short "if time allows" presentation slot at
>>>> the meeting. The judgment coming out of that meeting was "needs draft".
>>>>
>>>> I did get an actual draft published a bit after Singapore (the one with
>>>> the ridiculously long title previously mentioned) and there's been some, if
>>>> not exactly an overwhelming amount of, discussion and support of it on this
>>>> very list:
>>>> https://mailarchive.ietf.org/arch/search/?q=%22draft-bdc-something-something-certificate%22
>>>>
>>>> Thanks.
>>>> Brian Campbell
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited..
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>> _______________________________________________
>>>> Secdispatch mailing list
>>>> Secdispatch@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/secdispatch
>>>>
>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email