Re: [TLS] HTTPS client-certificate-authentication in browsers

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 27 July 2011 00:28 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A0C11E80BE for <tls@ietfa.amsl.com>; Tue, 26 Jul 2011 17:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guyNC8Z9Knbz for <tls@ietfa.amsl.com>; Tue, 26 Jul 2011 17:28:32 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 422B811E809E for <tls@ietf.org>; Tue, 26 Jul 2011 17:28:32 -0700 (PDT)
Received: from [192.168.1.140] (static-50-142-241-92.customer.blic.net [92.241.142.50]) by che.mayfirst.org (Postfix) with ESMTPSA id 7AB0BF970 for <tls@ietf.org>; Tue, 26 Jul 2011 20:28:28 -0400 (EDT)
Message-ID: <4E2F5BA0.4020507@fifthhorseman.net>
Date: Wed, 27 Jul 2011 02:28:16 +0200
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110626 Icedove/3.1.11
MIME-Version: 1.0
To: tls@ietf.org
References: <201107261911.p6QJB3Dv011457@fs4113.wdf.sap.corp> <4E2F1B65.2080404@telia.com>
In-Reply-To: <4E2F1B65.2080404@telia.com>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig60127966FB3522E428BF2D2B"
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2011 00:28:32 -0000

On 07/26/2011 09:54 PM, Anders Rundgren wrote:
> It actually quite hard writing an HTTPS CCA based web app that
> has similar login and session characteristics as one using password
> authentication.

What's so hard about it?  Designate a URL (e.g.
http://example.com/login) that triggers a request for client-side
certificates.  When the user visits that URL with an acceptable
client-side certificate, set a session cookie, and redirect them back to
the page they were coming from.

When the user is not logged in, show them a login link that points to
the designated URL.

When they are logged in, show them a logout link that takes them to a
URL that clears the session cookie.

Am i missing something that makes this approach difficult or wrong?

	--dkg