Re: [TLS] Commentary on the client authentication presentation slides

Yoav Nir <> Mon, 10 August 2015 19:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6FB011A86EB for <>; Mon, 10 Aug 2015 12:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ND0mb0DjRXHE for <>; Mon, 10 Aug 2015 12:54:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9BDCA1A011B for <>; Mon, 10 Aug 2015 12:54:06 -0700 (PDT)
Received: by wicja10 with SMTP id ja10so40047419wic.1 for <>; Mon, 10 Aug 2015 12:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=MbDLnuhFVdYTi7uPhMa0uWtM2YGULLItTXpOejKH048=; b=fZhbNJpt9VT8cmzTxdBM5Pu1S/9GAPQfBxZYqk603kdqIo/uoCljcEDmKCm/5L1K0y IHg8OkdShw1/RojD8dBP6ohE7FXsEQD7fGiu1tXx4I+wA9WtE9eL9xJBOmsgadcA5mKg qqXPIvaxXK83yOKMhA6y0mifTSId8iJq83W1MvyRXAMdg5trtKZbAP+Z+tqX49WDwO+i 2XWJFDL2Z8m8adXQj+VZifdSngcu4xuK7FAEpov/oTOhJUOOMTwFcE5ept4w9GXjdP7w eqdxamIV+++T/IdTWRkeWb0ilToVsbYXdUXZobM6mKfCD1RFx0jxhqI73OxPr1WZ48RE OEaw==
X-Received: by with SMTP id hf3mr45984018wjc.78.1439236445274; Mon, 10 Aug 2015 12:54:05 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id fn8sm1430845wib.2.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Aug 2015 12:54:04 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Mon, 10 Aug 2015 22:53:22 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20150720141036.GA32204@LK-Perkele-VII> <> <> <> <20150801084849.GA7162@LK-Perkele-VII> <> <20150802182908.GA29836@LK-Perkele-VII> <> <20150808090351.GA14947@LK-Perkele-VII> <> <> <>
To: Andrei Popov <>
X-Mailer: Apple Mail (2.2102)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Commentary on the client authentication presentation slides
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Aug 2015 19:54:08 -0000

> On Aug 10, 2015, at 10:04 PM, Andrei Popov <> wrote:
>> Ideally a solution would work with HTTP/1 over TLS 1.3, HTTP/2 over TLS 1.3, HTTP/2 over TLS 1.2, and for completeness HTTP/1 over TLS 1.2.
> Correct, anything less than this will create deployment problems.
>> I’d like to point out that I am very interested in this use case, but I’m not sure that this is the solution.
> I'm open to alternatives that fix the broken use case. 

One solution would be to move the authentication for this use case (and perhaps for HTTPS in general) from the transport layer to either HTTP as an authentication method or to the application (through some standardized exchange of JSON objects).

Another option is to allow renegotiation and your mechanism in HTTP/2 with some change of behavior that eliminates the race condition. For example:
 1. The server receives a request for a resource that requires a client certificate
 2. The server sends a new HTTP message (or code) that says that client certificate authentication is required.
 3. The client sends a new HTTP control frame with the highest number of resource that it has requested.
 4. The server finishes serving all resources that don’t need authentication with a number below what the client sent
 5. The client does not initiate any new requests.
 6. When the server is done, it initiates renegotiation or the new mechanism
 7. After renegotiation, the client can resume sending requests, all of which are authenticated.

The details may be different, but something like this can bring determinism to the process.

>> We still get a race condition where several requests might be answered before, after or during authentication depending on the timing of the TLS handshake message vs the HTTP messages.
> The idea is that before answering a request that requires client auth, the server checks if a client cred is available. If there is no suitable client cred available, the request is blocked until the client authenticates. This does not necessarily have to block other requests that do not require client auth.

This is a somewhat contrived example, but consider an object in the web page that says “Hello, guest” when no credential is available, and “Hello, Andrei” when a credential is available.  If the page has optional authentication and you have presented the certificate, then depending on timing you might still see “Hello, guest” on the page.