Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header

Michael Richardson <> Sun, 29 March 2020 22:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64E753A0E15 for <>; Sun, 29 Mar 2020 15:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zvASmHotPigm for <>; Sun, 29 Mar 2020 15:13:45 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 403E83A0E11 for <>; Sun, 29 Mar 2020 15:13:44 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id B9EE63897D; Sun, 29 Mar 2020 18:12:11 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id A5981FC9; Sun, 29 Mar 2020 18:13:39 -0400 (EDT)
From: Michael Richardson <>
To: Benjamin Kaduk <>, Eric Rescorla <>, IETF SecDispatch <>, Brian Campbell <>
In-Reply-To: <>
References: <> <> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Sun, 29 Mar 2020 18:13:39 -0400
Message-ID: <25595.1585520019@localhost>
Archived-At: <>
Subject: Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 29 Mar 2020 22:13:48 -0000

On Fri, Mar 27, 2020 at 10:21:17AM -0700, Eric Rescorla wrote:
    >> Overall, I agree that something like this is needed. However,
    >> I have two concerns about the mechanism described here.
    >> First, as you note in S B.1., if the header is not properly
    >> sanitized, there is a trivial attack and there are stronger
    >> mechanism that do not require sanitization:
    >> "Client-Cert" header that would appear to the backend to have come
    >> from the reverse proxy.  Although numerous other methods of
    >> detecting/preventing header injection are possible; such as the use
    >> of a unique secret value as part of the header name or value or the
    >> application of a signature, HMAC, or AEAD, there is no common general
    >> standardized mechanism.  The potential problem of client header
    >> injection is not at all unique to the functionality of this draft and
    >> it would therefor be inappropriate for this draft to define a one-off
    >> solution.  In the absence of a generic standardized solution existing
    >> currently, stripping/sanitizing the headers is the de facto means of
    >> protecting against header injection in practice today.  Sanitizing
    >> This seems like an odd argument to make: if a strong mechanism is
    >> in order, we should design one and make it generic, not just throw
    >> and continue to use weaker mechanisms.

I agree: it seems like we ought to make some kind of more generic mechanism.
It feels like we are creating a new reverse-proxy/framework channel.
The stupidest version I can imagine is two sets of HTTP headers... message/rfc822 like.

There are a bunch of such interfaces around already, and maybe we can do this
if we assume HTTP/2 here.

Benjamin Kaduk <> wrote:
    > Hmm, that requires the proxy to keep that state around (either locally or
    > in the resumption ticket).  Brainstorming, in TLS 1.3 one could also have
    > the application manage the authentication state by having the proxy not
    > issue tickets right at the handshake completion, and instead wait for the
    > application to return a blob to include in the ticket.  This would provide
    > a convenient excuse for adding a way to secure the proxy/backend channel,
    > with the proxy adding a header with a key fingerprint, and the backend
    > encrypting its response to that key, only if the key is whitelisted in the
    > application's configuration.  On the other hand, it's more moving

I think that you two have potentially given a reasonable technical reason why
this work is not as trivial as envisioned, and that we need to boil a bit
more water here, without an entire ocean.  That maybe it requires a
significant part of a WG, if not an entire WG.

It was mentioned that HTTPBIS plans to cleave of some pieces, but I don't
have the time to follow all of HTTPBIS...

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-